tkhtmlview icon indicating copy to clipboard operation
tkhtmlview copied to clipboard
verified publisher icon bauripalash

Request for Dependency Upgrade: Pillow >=10.0.1

Open viniciusccosta opened this issue 2 years ago • 2 comments

Description:

I would like to request an upgrade to the Pillow dependency in tkhtmlview. Currently, tkhtmlview relies on Pillow version >=9.4.0,<10.0.0, which includes a bundled libwebp binary that is known to be vulnerable to CVE-2023-5129 (previously CVE-2023-4863).

Suggested Action:

I propose upgrading the Pillow dependency to version >=10.0.1 or a higher version. Pillow v10.0.1 includes an updated libwebp binary to v1.3.2, which resolves the security vulnerability.

Rationale:

Addressing this security vulnerability is crucial to ensure the safety and reliability of tkhtmlview and its users. Upgrading the dependency will contribute to the overall security of the project and the broader Python ecosystem.

Additional Information:

  • Package Name: tkhtmlview
  • Current Version: 0.2.0
  • Python Version: >=3.7,<4.0

Thank you for considering this request, and I appreciate your efforts in maintaining the tkhtmlview project.

viniciusccosta avatar Oct 05 '23 13:10 viniciusccosta

Due to some personal health issues I haven't been able to work on this project for quite some time.

I will work on this very soon.

bauripalash avatar Dec 06 '23 02:12 bauripalash

I have published new version 0.3.0, which requires Pillow >= 10.

bauripalash avatar Mar 21 '24 13:03 bauripalash