fix(nomic,openai,perplexity): update pillow version to >= 12.1.1, <13.0.0 (#35254)

Updates the minimum Pillow version to address CVE-2026-25990 (HIGH severity out-of-bounds write vulnerability affecting versions 10.3.0 through 12.1.0). Changes: langchain-nomic: pillow>=10.3.0,<13.0.0 → pillow>=12.1.1,<13.0.0 langchain-openai: pillow>=10.3.0,<13.0.0 → pillow>=12.1.1,<13.0.0 langchain-perplexity: pillow>=10.3.0,<13.0.0 → pillow>=12.1.1,<13.0.0 Safety: This is a minimum version bump within the existing constraint range (<13.0.0), so no breaking changes are introduced. CVE Details: CVE-2026-25990: An out-of-bounds write may be triggered when loading a specially crafted PSD image Affected versions: 10.3.0 to <12.1.1 Fixed in: 12.1.1 Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-25990 ** Claude Helped me write this nice message ** The original findings was thanks to a Trivy scan --------- Co-authored-by: Mason Daugherty <mason@langchain.dev>
2026-06-09 10:17:00 +00:00 · 2026-02-16 23:17:32 -05:00
parent 6a07b3acda
commit 68a14844b5
3 changed files with 3 additions and 3 deletions
--- a/libs/partners/openai/pyproject.toml
+++ b/libs/partners/openai/pyproject.toml
@@ -61,7 +61,7 @@ lint = ["ruff>=0.13.1,<0.14.0"]
 dev = ["langchain-core"]
 test_integration = [
    "httpx>=0.27.0,<1.0.0",
-    "pillow>=10.3.0,<13.0.0",
+    "pillow>=12.1.1,<13.0.0",
    "numpy>=1.26.4; python_version < '3.13'",
    "numpy>=2.1.0; python_version >= '3.13'",
 ]