Bump pillow from 10.3.0 to 10.4.0

[dependabot]

Bumps pillow from 10.3.0 to 10.4.0.

Release notes

Sourced from pillow's releases.

10.4.0

https://pillow.readthedocs.io/en/stable/releasenotes/10.4.0.html

Changes

• Raise FileNotFoundError if show_file() path does not exist #8178 [@​radarhere]
• Improved reading 16-bit TGA images with colour #7965 [@​Yay295]
• Fixed processing multiple JPEG EXIF markers #8127 [@​radarhere]
• Do not preserve EXIFIFD tag by default when saving TIFF images #8110 [@​radarhere]
• Added ImageFont.load_default_imagefont() #8086 [@​radarhere]
• Added Image.WARN_POSSIBLE_FORMATS #8063 [@​radarhere]
• Do not presume "xmp" info simply because "XML:com.adobe.xmp" info exists #8173 [@​radarhere]
• Remove zero-byte end padding when parsing any XMP data #8171 [@​radarhere]
• Do not detect Ultra HDR images as MPO #8056 [@​radarhere]
• Raise SyntaxError specific to JP2 #8146 [@​Yay295]
• Do not use first frame duration for other frames when saving APNG images #8104 [@​radarhere]
• Consider I;16 pixel size when using a 1 mode mask #8112 [@​radarhere]
• When saving multiple PNG frames, convert to mode rather than raw mode #8087 [@​radarhere]
• Added byte support to FreeTypeFont #8141 [@​radarhere]
• Allow float center for rotate operations #8114 [@​radarhere]
• Do not read layers immediately when opening PSD images #8039 [@​radarhere]
• Restore original thread state #8065 [@​radarhere]
• Read IM and TIFF images as RGB, rather than RGBX #7997 [@​radarhere]
• Only preserve TIFF IPTC_NAA_CHUNK tag if type is BYTE or UNDEFINED #7948 [@​radarhere]
• Prevent extra EPS header validations #8144 [@​Yay295]
• Clarify ImageDraw2 error message when size is missing #8165 [@​radarhere]
• Support unpacking more rawmodes to RGBA palettes #7966 [@​radarhere]
• Removed support for Qt 5 #8159 [@​radarhere]
• Improve ImageFont.freetype support for XDG directories on Linux #8135 [@​mamg22]
• Improved consistency of XMP handling #8069 [@​radarhere]
• Use pkg-config to help find libwebp and raqm #8142 [@​radarhere]
• Renamed C transform2 to transform #8113 [@​radarhere]
• Updated nasm to 2.16.03 #7990 [@​radarhere]
• [pre-commit.ci] pre-commit autoupdate #8100 [@​pre-commit-ci]
• Updated ImageCms.createProfile colorTemp default and docstring #8096 [@​radarhere]
• Added ImageDraw circle() #8085 [@​void4]
• Don't reuse variable name #8082 [@​Yay295]
• Use functools.cached_property in GifImagePlugin #8037 [@​radarhere]
• Add mypy target to Makefile #8077 [@​Yay295]
• Added Python 3.13 beta wheels #8071 [@​radarhere]
• Parse _version contents instead of using exec() #8050 [@​radarhere]
• Lint fixes #8068 [@​radarhere]
• Fix type errors #8064 [@​radarhere]
• Added MPEG accept function #7999 [@​radarhere]
• Added more modes to Image.MODES #7984 [@​radarhere]
• [pre-commit.ci] pre-commit autoupdate #8044 [@​pre-commit-ci]
• Do not use percent format in strings #8045 [@​radarhere]
• Changed string formatting to f-strings #8043 [@​mrKazzila]
• Removed direct invocation of setup.py #8027 [@​radarhere]
• Update ExifTags.py #8020 [@​CTimmerman]

... (truncated)

Changelog

Sourced from pillow's changelog.

10.4.0 (2024-07-01)

• Raise FileNotFoundError if show_file() path does not exist #8178 [radarhere]

• Improved reading 16-bit TGA images with colour #7965 [Yay295, radarhere]

• Deprecate non-image ImageCms modes #8031 [radarhere]

• Fixed processing multiple JPEG EXIF markers #8127 [radarhere]

• Do not preserve EXIFIFD tag by default when saving TIFF images #8110 [radarhere]

• Added ImageFont.load_default_imagefont() #8086 [radarhere]

• Added Image.WARN_POSSIBLE_FORMATS #8063 [radarhere]

• Remove zero-byte end padding when parsing any XMP data #8171 [radarhere]

• Do not detect Ultra HDR images as MPO #8056 [radarhere]

• Raise SyntaxError specific to JP2 #8146 [Yay295, radarhere]

• Do not use first frame duration for other frames when saving APNG images #8104 [radarhere]

• Consider I;16 pixel size when using a 1 mode mask #8112 [radarhere]

• When saving multiple PNG frames, convert to mode rather than raw mode #8087 [radarhere]

• Added byte support to FreeTypeFont #8141 [radarhere]

• Allow float center for rotate operations #8114 [radarhere]

• Do not read layers immediately when opening PSD images #8039 [radarhere]

... (truncated)

Commits

• 9b4fae7 10.4.0 version bump
• b55d74b Update CHANGES.rst [ci skip]
• 8daf550 Merge pull request #8178 from radarhere/imageshow
• c6d8c58 Merge pull request #7965 from Yay295/patch-3
• c9ec76a Raise FileNotFoundError if show_file() path does not exist
• b48d175 Update CHANGES.rst [ci skip]
• 4d6dff3 Merge pull request #8031 from radarhere/imagingcms_modes
• 70b3815 Merge pull request #8127 from radarhere/multiple_exif_markers
• 88cd6d4 Rearranged comments
• 41426a6 Merge pull request #8110 from radarhere/exififd
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	❕	1 finding
SQL Injection Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code change in the requirements.txt file appears to be an update to the Pillow library, which is a dependency for the Django-Imagekit library used in the DefectDojo application. The specific change is an upgrade of the Pillow library from version 10.3.0 to version 10.4.0. From an application security perspective, this is generally a good practice, as it may address security vulnerabilities found in the previous version of the library. Keeping dependencies up-to-date is an important security measure to mitigate potential security risks. Additionally, maintaining a well-documented and up-to-date list of dependencies, as shown in the requirements.txt file, is a recommended security practice that helps in managing the application's attack surface.

Files Changed:

• requirements.txt: The changes in this file update the Pillow library from version 10.3.0 to version 10.4.0. This library is a dependency for the Django-Imagekit library used in the DefectDojo application. Upgrading the Pillow library is a positive security measure, as it may address any security vulnerabilities found in the previous version.

Powered by DryRun Security

[mtesauro]

Approved

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[mtesauro]

@dependabot recreate

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot rebase.