Bump pillow from 6.2.0 to 12.2.0 in /images

[dependabot]

Bumps pillow from 6.2.0 to 12.2.0.

Release notes

Sourced from pillow's releases.

12.2.0

https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html

Documentation

• Update 12.2.0 release notes #9522 [@​hugovk]
• Add loader plugins: AMOS abk, Atari Degas, 40+ more obscure formats via Netpbm #9482 [@​bitplane]
• Update Python versions #9515 [@​radarhere]
• Jeffrey A. Clark -> Jeffrey 'Alex' Clark #9513 [@​aclark4life]
• Add release notes for #9394, #9419 and #9456 #9467 [@​radarhere]
• Add Amiga Workbench .info loader to 3rd party plugins list #9459 [@​bitplane]
• Merge PFM documentation into PPM #9434 [@​radarhere]
• Update macOS tested Pillow versions #9431 [@​radarhere]
• Fix CVE number #9430 [@​hugovk]

Dependencies

• Update xz to 5.8.3 #9523 [@​radarhere]
• Update libjpeg-turbo to 3.1.4.1 #9507 [@​radarhere]
• Update libpng to 1.6.56 #9499 [@​radarhere]
• Update freetype to 2.14.3 #9485 [@​radarhere]
• Updated libavif to 1.4.1 #9479 [@​radarhere]
• Updated harfbuzz to 13.2.1 #9461 [@​radarhere]
• Update Ghostscript to 10.7.0 #9469 [@​radarhere]
• Update harfbuzz to 13.0.1 #9453 [@​radarhere]
• Update libavif to 1.4.0 #9460 [@​radarhere]
• Update freetype to 2.14.2 #9449 [@​radarhere]
• Update actions/download-artifact action to v8 #9451 [@renovate[bot]]
• Updated libpng to 1.6.55 #9425 [@​radarhere]

Testing

• Cleanup .spider extension in the same test where it is added #9517 [@​radarhere]
• Run tests in parallel via tox for 3.5x speedup #9516 [@​hugovk]
• Enable colour in CI logs #9486 [@​hugovk]
• Update Ghostscript to 10.7.0 #9469 [@​radarhere]
• Simplify TGA test code #9477 [@​radarhere]
• Update tests to check for ValueError when encoding an empty image #9464 [@​radarhere]
• Upgrade CI from macos-15-intel to macos-26-intel #9454 [@​hugovk]
• Add check-case-conflict hook #9446 [@​radarhere]
• Specify platform when pulling docker image #9440 [@​radarhere]
• GHA: Cache libavif and webp builds for Ubuntu #9437 [@​hugovk]
• Update macOS tested Pillow versions #9431 [@​radarhere]

Other changes

• Check calloc return value #9527 [@​radarhere]
• Check all allocs in the Arrow tree #9488 [@​wiredfool]
• Reject non-numeric elements inside list coords #9526 [@​hugovk]
• Move variable declaration inside define #9525 [@​radarhere]

... (truncated)

Changelog

Sourced from pillow's changelog.

Changelog (Pillow)

11.1.0 and newer

See GitHub Releases:

• https://github.com/python-pillow/Pillow/releases

11.0.0 (2024-10-15)

• Update licence to MIT-CMU #8460 [hugovk]

• Conditionally define ImageCms type hint to avoid requiring core #8197 [radarhere]

• Support writing LONG8 offsets in AppendingTiffWriter #8417 [radarhere]

• Use ImageFile.MAXBLOCK when saving TIFF images #8461 [radarhere]

• Do not close provided file handles with libtiff when saving #8458 [radarhere]

• Support ImageFilter.BuiltinFilter for I;16* images #8438 [radarhere]

• Use ImagingCore.ptr instead of ImagingCore.id #8341 [homm, radarhere, hugovk]

• Updated EPS mode when opening images without transparency #8281 [Yay295, radarhere]

• Use transparency when combining P frames from APNGs #8443 [radarhere]

• Support all resampling filters when resizing I;16* images #8422 [radarhere]

• Free memory on early return #8413 [radarhere]

• Cast int before potentially exceeding INT_MAX #8402 [radarhere]

... (truncated)

Commits

• 3c41c09 12.2.0 version bump
• cdaa29e Check calloc return value (#9527)
• 585b2f5 Check calloc return value
• ecf011e Check all allocs in the Arrow tree (#9488)
• cf6de8c Reject non-numeric elements inside list coords (#9526)
• ffdcede Update 12.2.0 release notes (#9522)
• 7929d77 Added security release notes (#149)
• c4f7aa5 Added security release notes
• 22cdb5f Move variable declaration inside define (#9525)
• fc15b3b Resize tall images vertically first (#9524)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[claude]

Dependency Review: Pillow 6.2.0 → 12.2.0

🔍 Dependency Analysis Summary

Package	Old Version	New Version	Type
Pillow	6.2.0	12.2.0	Python imaging library (build tooling only)

Context: This change is limited to images/requirements.txt, which contains Python tooling for generating Android drawable assets. It does not affect the Android app itself.

Overall Risk: HIGH — The version jump spans 6 major releases (7.x through 12.x) with 24+ CVEs fixed, but the existing code in images/dpi_manager.py uses removed APIs and Python 2 syntax that will cause immediate runtime failures with Pillow 12.2.0.

---

📋 Detailed Changelog Review

Package: Pillow (6.2.0 → 12.2.0)

Security Fixes (24+ CVEs) — this is why the update is critical:

• CVE-2022-22817 / CVE-2023-50447: Remote code execution via ImageMath.eval() — eval() is completely removed in Pillow 12.0
• CVE-2023-4863: Heap buffer overflow in libwebp
• CVE-2024-28219: Buffer overflow in _imagingcms.c
• CVE-2020-10177/10378/10379/10994/11538: OOB reads/writes in FLI, PCX, TIFF, JPEG2000, SGI decoders
• CVE-2021-27921/27922/27923: Memory DOS via BLP, ICNS, ICO images
• CVE-2026-25990: OOB write in PSD decoding (most recent, v12.1.1)
• Multiple additional memory DOS and buffer overflow CVEs in 8.x–10.x

Breaking Changes (relevant to this codebase):

Version	Breaking Change	Impact on CommCare images/
9.1.0	Image.ANTIALIAS deprecated	⚠️ Warning on use
10.0.0	Image.ANTIALIAS removed	💥 Runtime error (AttributeError)
10.0.0	Old integer resampling constants removed	💥 Same issue
12.0.0	Requires Python 3.10+	💥 Incompatible with Python 2

---

⚠️ Impact Assessment

Breaking Changes Found: YES — the scripts will fail immediately if run.

images/dpi_manager.py issues:

1. Line 125 & 136 — Image.ANTIALIAS removed (Pillow 10.0.0)

   # Current code — BREAKS with Pillow 10.0+
   src_img.resize((dpi_width, dpi_height), Image.ANTIALIAS)
   
   # Required fix
   src_img.resize((dpi_width, dpi_height), Image.Resampling.LANCZOS)

2. Lines 108, 116, 128, 139 — Python 2 print statements

   # Current code — syntax error in Python 3
   print "save to", dpi_path
   
   # Required fix
   print("save to", dpi_path)

   This script appears to be Python 2-era code. Pillow 12.x requires Python 3.10+, making the entire file incompatible as-is.

3. Line 95 — numpy.fromstring() deprecated

   # Current code — deprecated, use frombuffer instead
   premult = numpy.fromstring(src_img.tobytes(), dtype=numpy.uint8)
   
   # Required fix
   premult = numpy.frombuffer(src_img.tobytes(), dtype=numpy.uint8)

Additional concerns in requirements.txt (not changed by this PR):

• numpy==1.9.1 (2014!) — almost certainly incompatible with Python 3.10+
• PyYAML==5.1 — has CVE-2020-14343 (arbitrary code execution via yaml.load())
• CairoSVG==2.5.1 — may have Python 3.10 compatibility issues

Affected Files:

• images/dpi_manager.py — requires fixes before Pillow 12.x will work
• images/requirements.txt — other dependencies need updating alongside Pillow

---

🛠️ Recommendations

Action Required: This PR should not be merged as-is. The security update is absolutely necessary (24+ CVEs including RCE), but the scripts must be updated before bumping to Pillow 12.2.0, or the build tooling will silently break.

Suggested approach — update dpi_manager.py alongside this PR:

# Line 95: replace deprecated numpy.fromstring
premult = numpy.frombuffer(src_img.tobytes(), dtype=numpy.uint8).copy()

# Lines 125, 136: replace removed Image.ANTIALIAS
src_img.resize((dpi_width, dpi_height), Image.Resampling.LANCZOS).save(dpi_path)

# Lines 108, 116, 128, 139: Python 3 print() calls
print("save to", dpi_path)

Also consider bumping the other stale dependencies in requirements.txt in the same PR:

• PyYAML==5.1 → PyYAML>=6.0 (fixes CVE-2020-14343)
• numpy==1.9.1 → numpy>=1.26 (compatible with Python 3.10+)

Testing Focus:

• Verify Python 3.10+ is available in the environment where these image generation scripts are run
• Run make_drawables.py against a test image to confirm the resize/save pipeline works end-to-end with the updated dependencies
• Confirm generated drawable assets are pixel-correct (LANCZOS == ANTIALIAS, just renamed)

Follow-up Tasks:

• Audit whether the images/ tooling is still actively used in CI or developer workflows; if it's dead code, consider removing it entirely
• Open a separate issue for PyYAML CVE-2020-14343 if not already tracked

Merge Recommendation: REVIEW_NEEDED

The security intent is correct and urgent — staying on Pillow 6.2.0 exposes the environment to 24+ known CVEs. However, merging this PR as-is will break the image generation scripts. Please fix dpi_manager.py (and ideally the other stale deps) before merging.

---

📚 Useful Links

• Pillow 10.0.0 Migration Guide (ANTIALIAS removal)
• Pillow Security Advisories
• Pillow Full Release Notes Index
• PyYAML CVE-2020-14343