pax/booru-viewer
1
0
Fork 0
Code Issues Releases 18 Activity

security: fix #9 — add upper bounds on runtime dependencies

Browse Source 
The previous floors-only scheme would let a future `pip install` pull
in any new major release of httpx, Pillow, PySide6, or python-mpv —
including ones that loosen safety guarantees we depend on (e.g.
Pillow's MAX_IMAGE_PIXELS, httpx's redirect-following defaults).

Caps each at the next major version. Lock-file generation is still
deferred — see TODO.md for the follow-up (would require adding
pip-tools as a new dev dep, out of scope for this branch).

Audit-Ref: SECURITY_AUDIT.md finding #9
Severity: Low
This commit is contained in:
pax 2026-04-11 16:22:34 -05:00
parent 8f9e4f7e65
commit fef3c237f1
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pyproject.toml
View File

@ -8,10 +8,10 @@ version = "0.2.5"
description = "Local booru image browser with Qt6 GUI" description = "Local booru image browser with Qt6 GUI"
requires-python = ">=3.11" requires-python = ">=3.11"
dependencies = [ dependencies = [
"httpx>=0.27", "httpx>=0.27,<1.0",
"Pillow>=10.0", "Pillow>=10.0,<12.0",
"PySide6>=6.6", "PySide6>=6.6,<7.0",
"python-mpv>=1.0", "python-mpv>=1.0,<2.0",
] ]
[project.scripts] [project.scripts]