• e541f2d [2.2.x] Bumped version for 2.2.27 release.
• c477b76 [2.2.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.
• c27a7eb [2.2.x] Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag.
• 4cafd3a [2.2.x] Added stub release notes 2.2.27.
• 77d0fe5 [2.2.x] Added CVE-2021-45115, CVE-2021-45116, and CVE-2021-45452 to security ...
• e085d46 [2.2.x] Post-release version bump.
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from pillow's releases.

9.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/9.3.0.html

Changes

• Initialize libtiff buffer when saving #6699 [@​radarhere]
• Limit SAMPLESPERPIXEL to avoid runtime DOS #6700 [@​wiredfool]
• Inline fname2char to fix memory leak #6329 [@​nulano]
• Fix memory leaks related to text features #6330 [@​nulano]
• Use double quotes for version check on old CPython on Windows #6695 [@​hugovk]
• GHA: replace deprecated set-output command with GITHUB_OUTPUT file #6697 [@​nulano]
• Remove backup implementation of Round for Windows platforms #6693 [@​cgohlke]
• Upload fribidi.dll to GitHub Actions #6532 [@​nulano]
• Fixed set_variation_by_name offset #6445 [@​radarhere]
• Windows build improvements #6562 [@​nulano]
• Fix malloc in _imagingft.c:font_setvaraxes #6690 [@​cgohlke]
• Only use ASCII characters in C source file #6691 [@​cgohlke]
• Release Python GIL when converting images using matrix operations #6418 [@​hmaarrfk]
• Added ExifTags enums #6630 [@​radarhere]
• Do not modify previous frame when calculating delta in PNG #6683 [@​radarhere]
• Added support for reading BMP images with RLE4 compression #6674 [@​npjg]
• Decode JPEG compressed BLP1 data in original mode #6678 [@​radarhere]
• pylint warnings #6659 [@​marksmayo]
• Added GPS TIFF tag info #6661 [@​radarhere]
• Added conversion between RGB/RGBA/RGBX and LAB #6647 [@​radarhere]
• Do not attempt normalization if mode is already normal #6644 [@​radarhere]
• Fixed seeking to an L frame in a GIF #6576 [@​radarhere]
• Consider all frames when selecting mode for PNG save_all #6610 [@​radarhere]
• Don't reassign crc on ChunkStream close #6627 [@​radarhere]
• Raise a warning if NumPy failed to raise an error during conversion #6594 [@​radarhere]
• Only read a maximum of 100 bytes at a time in IMT header #6623 [@​radarhere]
• Show all frames in ImageShow #6611 [@​radarhere]
• Allow FLI palette chunk to not be first #6626 [@​radarhere]
• If first GIF frame has transparency for RGB_ALWAYS loading strategy, use RGBA mode #6592 [@​radarhere]
• Round box position to integer when pasting embedded color #6517 [@​radarhere]
• Removed EXIF prefix when saving WebP #6582 [@​radarhere]
• Pad IM palette to 768 bytes when saving #6579 [@​radarhere]
• Added DDS BC6H reading #6449 [@​ShadelessFox]
• Added support for opening WhiteIsZero 16-bit integer TIFF images #6642 [@​JayWiz]
• Raise an error when allocating translucent color to RGB palette #6654 [@​jsbueno]
• Moved mode check outside of loops #6650 [@​radarhere]
• Added reading of TIFF child images #6569 [@​radarhere]
• Improved ImageOps palette handling #6596 [@​PososikTeam]
• Defer parsing of palette into colors #6567 [@​radarhere]
• Apply transparency to P images in ImageTk.PhotoImage #6559 [@​radarhere]
• Use rounding in ImageOps contain() and pad() #6522 [@​bibinhashley]
• Fixed GIF remapping to palette with duplicate entries #6548 [@​radarhere]
• Allow remap_palette() to return an image with less than 256 palette entries #6543 [@​radarhere]
• Corrected BMP and TGA palette size when saving #6500 [@​radarhere]

... (truncated)

Sourced from pillow's changelog.

9.3.0 (2022-10-29)

• Limit SAMPLESPERPIXEL to avoid runtime DOS #6700 [wiredfool]

• Initialize libtiff buffer when saving #6699 [radarhere]

• Inline fname2char to fix memory leak #6329 [nulano]

• Fix memory leaks related to text features #6330 [nulano]

• Use double quotes for version check on old CPython on Windows #6695 [hugovk]

• Remove backup implementation of Round for Windows platforms #6693 [cgohlke]

• Fixed set_variation_by_name offset #6445 [radarhere]

• Fix malloc in _imagingft.c:font_setvaraxes #6690 [cgohlke]

• Release Python GIL when converting images using matrix operations #6418 [hmaarrfk]

• Added ExifTags enums #6630 [radarhere]

• Do not modify previous frame when calculating delta in PNG #6683 [radarhere]

• Added support for reading BMP images with RLE4 compression #6674 [npjg, radarhere]

• Decode JPEG compressed BLP1 data in original mode #6678 [radarhere]

• Added GPS TIFF tag info #6661 [radarhere]

• Added conversion between RGB/RGBA/RGBX and LAB #6647 [radarhere]

• Do not attempt normalization if mode is already normal #6644 [radarhere]

... (truncated)

• d594f4c Update CHANGES.rst [ci skip]
• 909dc64 9.3.0 version bump
• 1a51ce7 Merge pull request #6699 from hugovk/security-libtiff_buffer
• 2444cdd Merge pull request #6700 from hugovk/security-samples_per_pixel-sec
• 744f455 Added release notes
• 0846bfa Add to release notes
• 799a6a0 Fix linting
• 00b25fd Hide UserWarning in logs
• 05b175e Tighter test case
• 13f2c5a Prevent DOS with large SAMPLESPERPIXEL in Tiff IFD
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

• 5c33000 [2.2.x] Bumped version for 2.2.28 release.
• 29a6c98 [2.2.x] Fixed CVE-2022-28347 -- Protected QuerySet.explain(**options) against...
• 2c09e68 [2.2.x] Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), a...
• 8352b98 [2.2.x] Added stub release notes for 2.2.28.
• 2801f29 [2.2.x] Reverted "Fixed forms_tests.tests.test_renderers with Jinja 3.1.0+."
• e03648f [2.2.x] Fixed forms_tests.tests.test_renderers with Jinja 3.1.0+.
• 9d13d8c [2.2.x] Fixed typo in release notes.
• 047ece3 [2.2.x] Added CVE-2022-22818 and CVE-2022-23833 to security archive.
• 2427b2f [2.2.x] Post-release version bump.
• e541f2d [2.2.x] Bumped version for 2.2.27 release.
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from pillow's releases.

9.0.1

https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html

Changes

• In show_file, use os.remove to remove temporary images. CVE-2022-24303 #6010 [@​radarhere, @​hugovk]
• Restrict builtins within lambdas for ImageMath.eval. CVE-2022-22817 #6009 [radarhere]

Sourced from pillow's changelog.

9.0.1 (2022-02-03)

• In show_file, use os.remove to remove temporary images. CVE-2022-24303 #6010 [radarhere, hugovk]

• Restrict builtins within lambdas for ImageMath.eval. CVE-2022-22817 #6009 [radarhere]

• 6deac9e 9.0.1 version bump
• c04d812 Update CHANGES.rst [ci skip]
• 4fabec3 Added release notes for 9.0.1
• 02affaa Added delay after opening image with xdg-open
• ca0b585 Updated formatting
• 427221e In show_file, use os.remove to remove temporary images
• c930be0 Restrict builtins within lambdas for ImageMath.eval
• 75b69dd Dont need to pin for GHA
• cd938a7 Autolink CWE numbers with sphinx-issues
• 2e9c461 Add CVE IDs
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

• 44e7cca 2.2.x] Bumped version for 2.2.26 release.
• 4cb35b3 [2.2.x] Fixed CVE-2021-45452 -- Fixed potential path traversal in storage sub...
• c9f648c [2.2.x] Fixed CVE-2021-45116 -- Fixed potential information disclosure in dic...
• 2135637 [2.2.x] Fixed CVE-2021-45115 -- Prevented DoS vector in UserAttributeSimilari...
• 03b733d [2.2.x] Added stub release notes for 2.2.26 release.
• b878206 [2.2.x] Refs #33365, Refs #30530 -- Doc'd re_path() behavior change in Django...
• 573e70e [2.2.x] Added CVE-2021-44420 to security archive.
• 8439938 [2.2.x] Post-release version bump.
• 79d8dce [2.2.x] Bumped version for 2.2.25 release.
• 7cf7d74 [2.2.x] Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an upstream...
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from numpy's releases.

v1.21.0

NumPy 1.21.0 Release Notes

The NumPy 1.21.0 release highlights are

• continued SIMD work covering more functions and platforms,
• initial work on the new dtype infrastructure and casting,
• universal2 wheels for Python 3.8 and Python 3.9 on Mac,
• improved documentation,
• improved annotations,
• new PCG64DXSM bitgenerator for random numbers.

In addition there are the usual large number of bug fixes and other improvements.

The Python versions supported for this release are 3.7-3.9. Official support for Python 3.10 will be added when it is released.

:warning: Warning: there are unresolved problems compiling NumPy 1.21.0 with gcc-11.1 .

• Optimization level -O3 results in many wrong warnings when running the tests.
• On some hardware NumPy will hang in an infinite loop.

New functions

Add PCG64DXSM BitGenerator

Uses of the PCG64 BitGenerator in a massively-parallel context have been shown to have statistical weaknesses that were not apparent at the first release in numpy 1.17. Most users will never observe this weakness and are safe to continue to use PCG64. We have introduced a new PCG64DXSM BitGenerator that will eventually become the new default BitGenerator implementation used by default_rng in future releases. PCG64DXSM solves the statistical weakness while preserving the performance and the features of PCG64.

See upgrading-pcg64 for more details.

(gh-18906)

Expired deprecations

• The shape argument numpy.unravel_index cannot be passed as dims keyword argument anymore. (Was deprecated in NumPy 1.16.)

... (truncated)

• b235f9e Merge pull request #19283 from charris/prepare-1.21.0-release
• 34aebc2 MAINT: Update 1.21.0-notes.rst
• 493b64b MAINT: Update 1.21.0-changelog.rst
• 07d7e72 MAINT: Remove accidentally created directory.
• 032fca5 Merge pull request #19280 from charris/backport-19277
• 7d25b81 BUG: Fix refcount leak in ResultType
• fa5754e BUG: Add missing DECREF in new path
• 61127bb Merge pull request #19268 from charris/backport-19264
• 143d45f Merge pull request #19269 from charris/backport-19228
• d80e473 BUG: Removed typing for == and != in dtypes
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from pillow's releases.

9.0.0

https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html

Changes

• Restrict builtins for ImageMath.eval() #5923 [@​radarhere]
• Ensure JpegImagePlugin stops at the end of a truncated file #5921 [@​radarhere]
• Fixed ImagePath.Path array handling #5920 [@​radarhere]
• Remove consecutive duplicate tiles that only differ by their offset #5919 [@​radarhere]
• Removed redundant part of condition #5915 [@​radarhere]
• Explicitly enable strip chopping for large uncompressed TIFFs #5517 [@​kmilos]
• Use the Windows method to get TCL functions on Cygwin #5807 [@​DWesl]
• Changed error type to allow for incremental WebP parsing #5404 [@​radarhere]
• Improved I;16 operations on big endian #5901 [@​radarhere]
• Ensure that BMP pixel data offset does not ignore palette #5899 [@​radarhere]
• Limit quantized palette to number of colors #5879 [@​radarhere]
• Use latin1 encoding to decode bytes #5870 [@​radarhere]
• Fixed palette index for zeroed color in FASTOCTREE quantize #5869 [@​radarhere]
• When saving RGBA to GIF, make use of first transparent palette entry #5859 [@​radarhere]
• Pass SAMPLEFORMAT to libtiff #5848 [@​radarhere]
• Added rounding when converting P and PA #5824 [@​radarhere]
• Improved putdata() documentation and data handling #5910 [@​radarhere]
• Exclude carriage return in PDF regex to help prevent ReDoS #5912 [@​radarhere]
• Image.NONE is only used for resampling and dithers #5908 [@​radarhere]
• Fixed freeing pointer in ImageDraw.Outline.transform #5909 [@​radarhere]
• Add Tidelift alignment action and badge #5763 [@​aclark4life]
• Replaced further direct invocations of setup.py #5906 [@​radarhere]
• Added ImageShow support for xdg-open #5897 [@​m-shinder]
• Fixed typo #5902 [@​radarhere]
• Switched from deprecated "setup.py install" to "pip install ." #5896 [@​radarhere]
• Support 16-bit grayscale ImageQt conversion #5856 [@​cmbruns]
• Fixed raising OSError in _safe_read when size is greater than SAFEBLOCK #5872 [@​radarhere]
• Convert subsequent GIF frames to RGB or RGBA #5857 [@​radarhere]
• WebP: Fix memory leak during decoding on failure #5798 [@​ilai-deutel]
• Do not prematurely return in ImageFile when saving to stdout #5665 [@​infmagic2047]
• Added support for top right and bottom right TGA orientations #5829 [@​radarhere]
• Corrected ICNS file length in header #5845 [@​radarhere]
• Block tile TIFF tags when saving #5839 [@​radarhere]
• Added line width argument to ImageDraw polygon #5694 [@​radarhere]
• Do not redeclare class each time when converting to NumPy #5844 [@​radarhere]
• Only prevent repeated polygon pixels when drawing with transparency #5835 [@​radarhere]
• Fix pushes_fd method signature #5833 [@​hoodmane]
• Add support for pickling TrueType fonts #5826 [@​hugovk]
• Only prefer command line tools SDK on macOS over default MacOSX SDK #5828 [@​radarhere]
• Fix compilation on 64-bit Termux #5793 [@​landfillbaby]
• Replace 'setup.py sdist' with '-m build --sdist' #5785 [@​hugovk]
• Use declarative package configuration #5784 [@​hugovk]
• Use title for display in ImageShow #5788 [@​radarhere]
• Fix for PyQt6 #5775 [@​hugovk]

... (truncated)

Sourced from pillow's changelog.

9.0.0 (2022-01-02)

• Restrict builtins for ImageMath.eval(). CVE-2022-22817 #5923 [radarhere]

• Ensure JpegImagePlugin stops at the end of a truncated file #5921 [radarhere]

• Fixed ImagePath.Path array handling. CVE-2022-22815, CVE-2022-22816 #5920 [radarhere]

• Remove consecutive duplicate tiles that only differ by their offset #5919 [radarhere]

• Improved I;16 operations on big endian #5901 [radarhere]

• Limit quantized palette to number of colors #5879 [radarhere]

• Fixed palette index for zeroed color in FASTOCTREE quantize #5869 [radarhere]

• When saving RGBA to GIF, make use of first transparent palette entry #5859 [radarhere]

• Pass SAMPLEFORMAT to libtiff #5848 [radarhere]

• Added rounding when converting P and PA #5824 [radarhere]

• Improved putdata() documentation and data handling #5910 [radarhere]

• Exclude carriage return in PDF regex to help prevent ReDoS #5912 [hugovk]

• Fixed freeing pointer in ImageDraw.Outline.transform #5909 [radarhere]

• Added ImageShow support for xdg-open #5897 [m-shinder, radarhere]

• Support 16-bit grayscale ImageQt conversion #5856 [cmbruns, radarhere]

• Convert subsequent GIF frames to RGB or RGBA #5857 [radarhere]

... (truncated)

• 82541b6 9.0.0 version bump
• cae5ac4 Merge pull request #5924 from radarhere/cves
• ed4cf78 CVEs TBD
• d7f60d1 Merge pull request #5923 from radarhere/imagemath_eval
• 8531b01 Restrict builtins for ImageMath.eval
• 1efb1d9 Merge pull request #5922 from radarhere/releasenotes
• f6c7871 Added release notes for #5919, #5920 and #5921
• 032d2dc Update CHANGES.rst [ci skip]
• baae9ec Merge pull request #5921 from radarhere/jpeg_eoi
• 1059eb5 If appended EOI did not work, do not keep trying
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from pillow's releases.

8.3.2

https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html

Security

• CVE-2021-23437 Raise ValueError if color specifier is too long [hugovk, radarhere]

• Fix 6-byte OOB read in FliDecode [wiredfool]

Python 3.10 wheels

• Add support for Python 3.10 #5569, #5570 [hugovk, radarhere]

Fixed regressions

• Ensure TIFF RowsPerStrip is multiple of 8 for JPEG compression #5588 [kmilos, radarhere]

• Updates for ImagePalette channel order #5599 [radarhere]

• Hide FriBiDi shim symbols to avoid conflict with real FriBiDi library #5651 [nulano]

8.3.1

https://pillow.readthedocs.io/en/stable/releasenotes/8.3.1.html

Changes

• Catch OSError when checking if fp is sys.stdout #5585 [@​radarhere]
• Handle removing orientation from alternate types of EXIF data #5584 [@​radarhere]
• Make Image.array take optional dtype argument #5572 [@​t-vi]

8.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html

Changes

• Use snprintf instead of sprintf #5567 [@​radarhere]
• Limit TIFF strip size when saving with LibTIFF #5514 [@​kmilos]
• Allow ICNS save on all operating systems #4526 [@​newpanjing]
• De-zigzag JPEG's DQT when loading; deprecate convert_dict_qtables #4989 [@​gofr]
• Do not use background or transparency index for new color #5564 [@​radarhere]
• Simplified code #5315 [@​radarhere]
• Replaced xml.etree.ElementTree #5565 [@​radarhere]

... (truncated)

Sourced from pillow's changelog.

8.3.2 (2021-09-02)

• CVE-2021-23437 Raise ValueError if color specifier is too long [hugovk, radarhere]

• Fix 6-byte OOB read in FliDecode [wiredfool]

• Add support for Python 3.10 #5569, #5570 [hugovk, radarhere]

• Ensure TIFF RowsPerStrip is multiple of 8 for JPEG compression #5588 [kmilos, radarhere]

• Updates for ImagePalette channel order #5599 [radarhere]

• Hide FriBiDi shim symbols to avoid conflict with real FriBiDi library #5651 [nulano]

8.3.1 (2021-07-06)

• Catch OSError when checking if fp is sys.stdout #5585 [radarhere]

• Handle removing orientation from alternate types of EXIF data #5584 [radarhere]

• Make Image.array take optional dtype argument #5572 [t-vi, radarhere]

8.3.0 (2021-07-01)

• Use snprintf instead of sprintf. CVE-2021-34552 #5567 [radarhere]

• Limit TIFF strip size when saving with LibTIFF #5514 [kmilos]

• Allow ICNS save on all operating systems #4526 [baletu, radarhere, newpanjing, hugovk]

• De-zigzag JPEG's DQT when loading; deprecate convert_dict_qtables #4989 [gofr, radarhere]

• Replaced xml.etree.ElementTree #5565 [radarhere]

... (truncated)

• 8013f13 8.3.2 version bump
• 23c7ca8 Update CHANGES.rst
• 8450366 Update release notes
• a0afe89 Update test case
• 9e08eb8 Raise ValueError if color specifier is too long
• bd5cf7d FLI tests for Oss-fuzz crash.
• 94a0cf1 Fix 6-byte OOB read in FliDecode
• cece64f Add 8.3.2 (2021-09-02) [CI skip]
• e422386 Add release notes for Pillow 8.3.2
• 08dcbb8 Pillow 8.3.2 supports Python 3.10 [ci skip]
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

• 2da029d [2.2.x] Bumped version for 2.2.24 release.
• f27c38a [2.2.x] Fixed CVE-2021-33571 -- Prevented leading zeros in IPv4 addresses.
• 053cc95 [2.2.x] Fixed CVE-2021-33203 -- Fixed potential path-traversal via admindocs'...
• 6229d87 [2.2.x] Confirmed release date for Django 2.2.24.
• f163ad5 [2.2.x] Added stub release notes and date for Django 2.2.24.
• bed1755 [2.2.x] Changed IRC references to Libera.Chat.
• 63f0d7a [2.2.x] Refs #32718 -- Fixed file_storage.test_generate_filename and model_fi...
• 5fe4970 [2.2.x] Post-release version bump.
• 61f814f [2.2.x] Bumped version for 2.2.23 release.
• b8ecb06 [2.2.x] Fixed #32718 -- Relaxed file name validation in FileField.
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

• df9fd46 [2.2.x] Bumped version for 2.2.22 release.
• d9594c4 [2.2.x] Fixed #32713, Fixed CVE-2021-32052 -- Prevented newlines and tabs fro...
• 1637003 [2.2.x] Refs CVE-2021-31542 -- Skipped mock AWS storage test on Windows.
• bcafd9b [2.2.x] Added CVE-2021-31542 to security archive.
• 3931dc7 [2.2.x] Post-release version bump.
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from pillow's releases.

8.2.0

https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html

Changes

• Security fixes for 8.2.0 #5377 [@​hugovk]
• Move getxmp() to JpegImageFile #5376 [@​radarhere]
• Added getxmp() method #5144 [@​UrielMaD]
• Compile LibTIFF with CMake on Windows #5359 [@​nulano]
• Add ImageShow support for GraphicsMagick #5349 [@​latosha-maltba]
• Tiff crash fixes in TiffDecode.c #5372 [@​wiredfool]
• Remove redundant check (addition to #5364) #5366 [@​kkopachev]
• Do not load transparent pixels from subsequent GIF frames #5333 [@​radarhere]
• Use LZW encoding when saving GIF images #5291 [@​raygard]
• Set all transparent colors to be equal in quantize() #5282 [@​radarhere]
• Allow PixelAccess to use Python int when parsing x and y #5206 [@​radarhere]
• Removed Image._MODEINFO #5316 [@​radarhere]
• Add preserve_tone option to autocontrast #5350 [@​elejke]
• Only import numpy when necessary #5323 [@​radarhere]
• Fixed linear_gradient and radial_gradient I and F modes #5274 [@​radarhere]
• Add support for reading TIFFs with PlanarConfiguration=2 #5364 [@​wiredfool]
• More OSS-Fuzz support #5328 [@​wiredfool]
• Do not premultiply alpha when resizing with Image.NEAREST resampling #5304 [@​nulano]
• Use quantization method attributes #5353 [@​radarhere]
• Dynamically link FriBiDi instead of Raqm #5062 [@​nulano]
• Removed build_distance_tables return value #5363 [@​radarhere]
• Allow fewer PNG palette entries than the bit depth maximum when saving #5330 [@​radarhere]
• Use duration from info dictionary when saving WebP #5338 [@​radarhere]
• Improved efficiency when creating GIF disposal images #5326 [@​radarhere]
• Stop flattening EXIF IFD into getexif() #4947 [@​radarhere]
• Replaced tiff_deflate with tiff_adobe_deflate compression when saving TIFF images #5343 [@​radarhere]
• Save ICC profile from TIFF encoderinfo #5321 [@​radarhere]
• Moved RGB fix inside ImageQt class #5268 [@​radarhere]
• Fix -Wformat error in TiffDecode #5305 [@​lukegb]
• Allow alpha_composite destination to be negative #5313 [@​radarhere]
• Ensure file is closed if it is opened by ImageQt.ImageQt #5260 [@​radarhere]
• Added ImageDraw rounded_rectangle method #5208 [@​radarhere]
• Added IPythonViewer #5289 [@​radarhere]
• Only draw each rectangle outline pixel once #5183 [@​radarhere]
• Use mmap instead of built-in Win32 mapper #5224 [@​radarhere]
• Handle PCX images with an odd stride #5214 [@​radarhere]
• Only read different sizes for "Large Thumbnail" MPO frames #5168 [@​radarhere]

Dependencies

• Updated harfbuzz to 2.8.0 #5334 [@​radarhere]

Deprecations

... (truncated)

Sourced from pillow's changelog.

8.2.0 (2021-04-01)

• Added getxmp() method #5144 [UrielMaD, radarhere]

• Add ImageShow support for GraphicsMagick #5349 [latosha-maltba, radarhere]

• Do not load transparent pixels from subsequent GIF frames #5333 [zewt, radarhere]

• Use LZW encoding when saving GIF images #5291 [raygard]

• Set all transparent colors to be equal in quantize() #5282 [radarhere]

• Allow PixelAccess to use Python int when parsing x and y #5206 [radarhere]

• Removed Image._MODEINFO #5316 [radarhere]

• Add preserve_tone option to autocontrast #5350 [elejke, radarhere]

• Fixed linear_gradient and radial_gradient I and F modes #5274 [radarhere]

• Add support for reading TIFFs with PlanarConfiguration=2 #5364 [kkopachev, wiredfool, nulano]

• Deprecated categories #5351 [radarhere]

• Do not premultiply alpha when resizing with Image.NEAREST resampling #5304 [nulano]

• Dynamically link FriBiDi instead of Raqm #5062 [nulano]

• Allow fewer PNG palette entries than the bit depth maximum when saving #5330 [radarhere]

• Use duration from info dictionary when saving WebP #5338 [radarhere]

• Stop flattening EXIF IFD into getexif() #4947 [radarhere, kkopachev]

... (truncated)

• e0e353c 8.2.0 version bump
• ee635be Merge pull request #5377 from hugovk/security-and-release-notes
• 694c84f Fix typo [ci skip]
• 8febdad Review, typos and lint
• fea4196 Reorder, roughly alphabetic
• 496245a Fix BLP DOS -- CVE-2021-28678
• 22e9bee Fix DOS in PSDImagePlugin -- CVE-2021-28675
• ba65f0b Fix Memory DOS in ImageFont
• bb6c11f Fix FLI DOS -- CVE-2021-28676
• 5a5e6db Fix EPS DOS on _open -- CVE-2021-28677
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from numpy's releases.

v1.22.0

NumPy 1.22.0 Release Notes

NumPy 1.22.0 is a big release featuring the work of 153 contributors spread over 609 pull requests. There have been many improvements, highlights are:

• Annotations of the main namespace are essentially complete. Upstream is a moving target, so there will likely be further improvements, but the major work is done. This is probably the most user visible enhancement in this release.
• A preliminary version of the proposed Array-API is provided. This is a step in creating a standard collection of functions that can be used across application such as CuPy and JAX.
• NumPy now has a DLPack backend. DLPack provides a common interchange format for array (tensor) data.
• New methods for quantile, percentile, and related functions. The new methods provide a complete set of the methods commonly found in the literature.
• A new configurable allocator for use by downstream projects.

These are in addition to the ongoing work to provide SIMD support for commonly used functions, improvements to F2PY, and better documentation.

The Python versions supported in this release are 3.8-3.10, Python 3.7 has been dropped. Note that 32 bit wheels are only provided for Python 3.8 and 3.9 on Windows, all other wheels are 64 bits on account of Ubuntu, Fedora, and other Linux distributions dropping 32 bit support. All 64 bit wheels are also linked with 64 bit integer OpenBLAS, which should fix the occasional problems encountered by folks using truly huge arrays.

Expired deprecations

Deprecated numeric style dtype strings have been removed

Using the strings "Bytes0", "Datetime64", "Str0", "Uint32", and "Uint64" as a dtype will now raise a TypeError.

(gh-19539)

Expired deprecations for loads, ndfromtxt, and mafromtxt in npyio

numpy.loads was deprecated in v1.15, with the recommendation that users use pickle.loads instead. ndfromtxt and mafromtxt were both deprecated in v1.17 - users should use numpy.genfromtxt instead with the appropriate value for the usemask parameter.

(gh-19615)

... (truncated)

• 4adc87d Merge pull request #20685 from charris/prepare-for-1.22.0-release
• fd66547 REL: Prepare for the NumPy 1.22.0 release.
• 125304b wip
• c283859 Merge pull request #20682 from charris/backport-20416
• 5399c03 Merge pull request #20681 from charris/backport-20954
• f9c45f8 Merge pull request #20680 from charris/backport-20663
• 794b36f Update armccompiler.py
• d93b14e Update test_public_api.py
• 7662c07 Update init.py
• 311ab52 Update armccompiler.py
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.