Open
Conversation
hugovk
reviewed
Apr 9, 2026
At the risk of making this document larger, add in sections in Bootstrap IRP but not ours. - https://github.com/twbs/bootstrap/blob/main/.github/INCIDENT_RESPONSE.md
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
wiredfool
reviewed
Apr 9, 2026
…ignment step Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
radarhere
reviewed
Apr 9, 2026
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
radarhere
reviewed
Apr 9, 2026
| |---|---|---| | ||
| | `pybind11` | Build-time only | C++ ↔ Python bindings | | ||
| | `olefile` | Optional (`fpx`, `mic` extras) | OLE2 container parsing (FPX, MIC formats) | | ||
| | `defusedxml` | Optional (`xmp` extra) | Safe XML parsing for XMP metadata | |
Member
There was a problem hiding this comment.
This list is missing setuptools
Member
There was a problem hiding this comment.
We have more lists of optional deps in pyproject.toml. Do they need repeating here?
Member
There was a problem hiding this comment.
The categories of dependencies that aren't covered are 'docs', 'test-arrow' and 'tests'.
I don't know if they should be included or not, but there is a distinction - documentation builds and testing aren't actions that most users undertake.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
radarhere
reviewed
Apr 9, 2026
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
radarhere
reviewed
Apr 10, 2026
radarhere
reviewed
Apr 10, 2026
radarhere
reviewed
Apr 10, 2026
radarhere
reviewed
Apr 10, 2026
Co-authored-by: Andrew Murray <3112309+radarhere@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
hugovk
reviewed
Apr 10, 2026
| |---|---|---| | ||
| | `pybind11` | Build-time only | C++ ↔ Python bindings | | ||
| | `olefile` | Optional (`fpx`, `mic` extras) | OLE2 container parsing (FPX, MIC formats) | | ||
| | `defusedxml` | Optional (`xmp` extra) | Safe XML parsing for XMP metadata | |
Member
There was a problem hiding this comment.
We have more lists of optional deps in pyproject.toml. Do they need repeating here?
radarhere
reviewed
Apr 10, 2026
radarhere
reviewed
Apr 10, 2026
radarhere
reviewed
Apr 10, 2026
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
- Update CVSS v3.1 to CVSS 4.0 throughout - Remove 'Direct maintainer contact' from detection sources - Fix 'before it stays public' wording for user bug reports - Simplify sections 7.3 and 7.4 to reference RELEASING.md instead of duplicating release process steps - Update RELEASING.md Point release section with security-specific steps (amend CVE in commits, publish GitHub Security Advisory) - Fix PyPI API tokens entry (remove GitHub secrets reference) - Fix 404 PyPI manage URL (use correct case and /releases/ path) - Replace security@pypi.org mailto with https://pypi.org/security/ - Remove unconfirmed 'Notify GitHub Security' bullet - Fix section numbering: 10.x → 9.x under Section 9. Dependency Map - Reorder: move 9.3 Responding to Upstream Vulnerability before 9.3 Downstream Dependencies (now 9.2 and 9.3 respectively) - Add anchor link for Section 5 reference in 9.2 - Add #plugin-list anchor to third-party plugins handbook link - Fix GitLab issue tracker URLs to use /-/work_items for libtiff, freetype2, and bzip2 - Add pyproject.toml reference for complete optional dependencies list Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
radarhere
reviewed
Apr 12, 2026
| | Package | Required? | Purpose | | ||
| |---|---|---| | ||
| | `setuptools` | Build-time only | Package build backend | | ||
| | `pybind11` | Build-time only | C++ ↔ Python bindings | |
Member
There was a problem hiding this comment.
Suggested change
| | `pybind11` | Build-time only | C++ ↔ Python bindings | | |
| | `pybind11` | Build-time only | Compile C files in parallel | |
'C++ ↔ Python bindings' may be the general purpose of pybind11, but we just it for parallel compiling. See #8990
radarhere
reviewed
Apr 12, 2026
| ```bash | ||
| git push | ||
| ``` | ||
| * [ ] If this is a security fix: publish the [GitHub Security Advisory](https://github.com/python-pillow/Pillow/security/advisories). |
Member
There was a problem hiding this comment.
Suggested change
| * [ ] If this is a security fix: publish the [GitHub Security Advisory](https://github.com/python-pillow/Pillow/security/advisories). | |
| * [ ] If this is a security fix: publish the [GitHub Security Advisories](https://github.com/python-pillow/Pillow/security/advisories). |
Nitpick: There may be more than one
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes proposed in this pull request: