Vulnerable Pillow version allowed

[timpuri]

WeasyPrint has Pillow 9.1.0 as dependency. This version of Pillow has multiple high and critical vulnerabilities.

CVE-2022-30595 critical
CVE-2023-4863 critical
CVE-2023-50447 high
CVE-2023-44271 high
CVE-2022-45198 high
GHSA-56pw-mpj4-fxww high
CVE-2024-28219 medium

Is it possible to require at least Pillow 10.3.0 to solve those security issues?

[liZe]

Thanks for opening this issue.

Is it possible to require at least Pillow 10.3.0 to solve those security issues?

We’ve changed the way dependencies are defined in WeasyPrint a few times recently (see #2297 and #2207 for exemple), and we’re finally back to our original strategy:

• we don’t fix upper bounds, so that users can upgrade dependencies (and possibly fix security problems),
• we fix lower bounds according to technical needs, so that users and packagers can know which version is technically required.

Not updating our dependencies because of security issues allows Linux packagers and users to use a lower version of Pillow, where security issues have been backported.