Skip to content

fix(deps): bump pillow and json-repair to clear CI security-scan failures#122

Merged
haroldship merged 2 commits into
mainfrom
fix/ci-security-cve-bumps
Jul 14, 2026
Merged

fix(deps): bump pillow and json-repair to clear CI security-scan failures#122
haroldship merged 2 commits into
mainfrom
fix/ci-security-cve-bumps

Conversation

@haroldship

@haroldship haroldship commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator

Bug Fix Pull Request

Related Issue

No linked issue — found while investigating why CI was red on PR #120 and #121.

Description

just ci (and therefore CI) was failing on every PR because the security scan (pip-audit) found dependencies with known security bugs. This fixes those.

In plain terms: two of our dependencies, pillow (image handling) and json-repair (used by an LLM library), had security advisories filed against the versions we had pinned, and both already had fixed versions released. We just needed to update uv.lock to pull in the fixed versions — no code changes needed.

A third one, setuptools, also has a fix available, but we can't take it: torch (a dependency we don't control) requires setuptools<82, and the fix is 83.0.0. Since we can't bump past torch's own ceiling, this one gets added to the security check's ignore-list, the same way two earlier "can't fix, not our call" CVEs already are (see the comments above security: in the justfile).

Type of Changes

  • Bug fix (non-breaking change which fixes an issue)
  • Breaking change (fix that would cause existing functionality to not work as expected)

Root Cause

pip-audit (part of just ci / just security) flagged newly-disclosed CVEs in pillow, json-repair, and setuptools. Two had fixed versions we simply hadn't picked up yet in uv.lock. The third's fix is blocked by torch's own dependency pin.

Solution

  • Bumped pillow 12.2.0 → 12.3.0 and json-repair 0.59.10 → 0.61.4 in uv.lock (targeted lockfile edit — only these two packages' entries changed, nothing else in the dependency graph moved).
  • Added --ignore-vuln PYSEC-2026-3447 (the setuptools CVE) to the security recipe in justfile, with a comment explaining it's blocked by torch's setuptools<82 pin — consistent with the two existing ignored CVEs already documented there.

Testing

  • I have tested this fix locally
  • I have added tests that prove my fix works
  • All new and existing tests passed
  • I have verified the bug no longer occurs

Ran just ci locally end to end: lint, 439 regression tests, bandit, and pip-audit all pass now (pip-audit: "No known vulnerabilities found, 3 ignored").

("added tests" isn't literally applicable here — this is a dependency-version fix, not new logic — but the existing test suite passing is the relevant proof.)

Checklist

  • My code follows the code style of this project
  • I have performed a self-review of my own code
  • I have made corresponding changes to the documentation if needed

Summary by CodeRabbit

  • Chores
    • Updated security auditing configuration to account for a known vulnerability.
    • Existing security checks remain unchanged.

…ures

CI's pip-audit step was failing (blocking PR #120 and #121) because two
dependencies had known security bugs with fixes already published.

- pillow 12.2.0 -> 12.3.0, json-repair 0.59.10 -> 0.61.4 (both just needed
  a lockfile bump, no code changes required)
- setuptools also has a known bug (fixed in 83.0.0), but torch pins it to
  "<82" so we can't move it ourselves; added it to the security recipe's
  ignore list with a comment, matching the existing docling/torch entries
@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Caution

Review failed

An error occurred during the review process. Please try again later.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/ci-security-cve-bumps

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@justfile`:
- Around line 46-50: Update the CI pip-audit invocation in the workflow to also
ignore PYSEC-2026-3447, matching the exclusions in the justfile security recipe.
Keep the existing CVE exclusions unchanged, or centralize the shared command if
that is already supported.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 0a4452b6-63d0-496c-8ff8-e859dd71251f

📥 Commits

Reviewing files that changed from the base of the PR and between 119b091 and 1aac980.

⛔ Files ignored due to path filters (1)
  • uv.lock is excluded by !**/*.lock, !uv.lock
📒 Files selected for processing (1)
  • justfile

Comment thread justfile
CodeRabbit caught that the CI workflow runs its own copy of the
pip-audit command instead of `just security`, so the setuptools ignore
added in the justfile wasn't actually reaching CI — the Security check
was still red on this PR. Mirrored the same --ignore-vuln flag and
explanation into ci.yml.
@haroldship haroldship merged commit befa97b into main Jul 14, 2026
4 checks passed
@haroldship haroldship deleted the fix/ci-security-cve-bumps branch July 14, 2026 12:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant