fix(deps): bump pillow and json-repair to clear CI security-scan failures#122
Merged
Conversation
…ures CI's pip-audit step was failing (blocking PR #120 and #121) because two dependencies had known security bugs with fixes already published. - pillow 12.2.0 -> 12.3.0, json-repair 0.59.10 -> 0.61.4 (both just needed a lockfile bump, no code changes required) - setuptools also has a known bug (fixed in 83.0.0), but torch pins it to "<82" so we can't move it ourselves; added it to the security recipe's ignore list with a comment, matching the existing docling/torch entries
|
Caution Review failedAn error occurred during the review process. Please try again later. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@justfile`:
- Around line 46-50: Update the CI pip-audit invocation in the workflow to also
ignore PYSEC-2026-3447, matching the exclusions in the justfile security recipe.
Keep the existing CVE exclusions unchanged, or centralize the shared command if
that is already supported.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 0a4452b6-63d0-496c-8ff8-e859dd71251f
⛔ Files ignored due to path filters (1)
uv.lockis excluded by!**/*.lock,!uv.lock
📒 Files selected for processing (1)
justfile
CodeRabbit caught that the CI workflow runs its own copy of the pip-audit command instead of `just security`, so the setuptools ignore added in the justfile wasn't actually reaching CI — the Security check was still red on this PR. Mirrored the same --ignore-vuln flag and explanation into ci.yml.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug Fix Pull Request
Related Issue
No linked issue — found while investigating why CI was red on PR #120 and #121.
Description
just ci(and therefore CI) was failing on every PR because the security scan (pip-audit) found dependencies with known security bugs. This fixes those.In plain terms: two of our dependencies,
pillow(image handling) andjson-repair(used by an LLM library), had security advisories filed against the versions we had pinned, and both already had fixed versions released. We just needed to updateuv.lockto pull in the fixed versions — no code changes needed.A third one,
setuptools, also has a fix available, but we can't take it:torch(a dependency we don't control) requiressetuptools<82, and the fix is83.0.0. Since we can't bump past torch's own ceiling, this one gets added to the security check's ignore-list, the same way two earlier "can't fix, not our call" CVEs already are (see the comments abovesecurity:in thejustfile).Type of Changes
Root Cause
pip-audit(part ofjust ci/just security) flagged newly-disclosed CVEs inpillow,json-repair, andsetuptools. Two had fixed versions we simply hadn't picked up yet inuv.lock. The third's fix is blocked bytorch's own dependency pin.Solution
pillow12.2.0 → 12.3.0 andjson-repair0.59.10 → 0.61.4 inuv.lock(targeted lockfile edit — only these two packages' entries changed, nothing else in the dependency graph moved).--ignore-vuln PYSEC-2026-3447(the setuptools CVE) to thesecurityrecipe injustfile, with a comment explaining it's blocked bytorch'ssetuptools<82pin — consistent with the two existing ignored CVEs already documented there.Testing
Ran
just cilocally end to end: lint, 439 regression tests, bandit, and pip-audit all pass now (pip-audit: "No known vulnerabilities found, 3 ignored").("added tests" isn't literally applicable here — this is a dependency-version fix, not new logic — but the existing test suite passing is the relevant proof.)
Checklist
Summary by CodeRabbit