Bump pillow from 8.4.0 to 9.0.0

[dependabot[bot]]

Bumps pillow from 8.4.0 to 9.0.0.

Release notes

Sourced from pillow's releases.

9.0.0

https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html

Changes

• Restrict builtins for ImageMath.eval() #5923 [@​radarhere]
• Ensure JpegImagePlugin stops at the end of a truncated file #5921 [@​radarhere]
• Fixed ImagePath.Path array handling #5920 [@​radarhere]
• Remove consecutive duplicate tiles that only differ by their offset #5919 [@​radarhere]
• Removed redundant part of condition #5915 [@​radarhere]
• Explicitly enable strip chopping for large uncompressed TIFFs #5517 [@​kmilos]
• Use the Windows method to get TCL functions on Cygwin #5807 [@​DWesl]
• Changed error type to allow for incremental WebP parsing #5404 [@​radarhere]
• Improved I;16 operations on big endian #5901 [@​radarhere]
• Ensure that BMP pixel data offset does not ignore palette #5899 [@​radarhere]
• Limit quantized palette to number of colors #5879 [@​radarhere]
• Use latin1 encoding to decode bytes #5870 [@​radarhere]
• Fixed palette index for zeroed color in FASTOCTREE quantize #5869 [@​radarhere]
• When saving RGBA to GIF, make use of first transparent palette entry #5859 [@​radarhere]
• Pass SAMPLEFORMAT to libtiff #5848 [@​radarhere]
• Added rounding when converting P and PA #5824 [@​radarhere]
• Improved putdata() documentation and data handling #5910 [@​radarhere]
• Exclude carriage return in PDF regex to help prevent ReDoS #5912 [@​radarhere]
• Image.NONE is only used for resampling and dithers #5908 [@​radarhere]
• Fixed freeing pointer in ImageDraw.Outline.transform #5909 [@​radarhere]
• Add Tidelift alignment action and badge #5763 [@​aclark4life]
• Replaced further direct invocations of setup.py #5906 [@​radarhere]
• Added ImageShow support for xdg-open #5897 [@​m-shinder]
• Fixed typo #5902 [@​radarhere]
• Switched from deprecated "setup.py install" to "pip install ." #5896 [@​radarhere]
• Support 16-bit grayscale ImageQt conversion #5856 [@​cmbruns]
• Fixed raising OSError in _safe_read when size is greater than SAFEBLOCK #5872 [@​radarhere]
• Convert subsequent GIF frames to RGB or RGBA #5857 [@​radarhere]
• WebP: Fix memory leak during decoding on failure #5798 [@​ilai-deutel]
• Do not prematurely return in ImageFile when saving to stdout #5665 [@​infmagic2047]
• Added support for top right and bottom right TGA orientations #5829 [@​radarhere]
• Corrected ICNS file length in header #5845 [@​radarhere]
• Block tile TIFF tags when saving #5839 [@​radarhere]
• Added line width argument to ImageDraw polygon #5694 [@​radarhere]
• Do not redeclare class each time when converting to NumPy #5844 [@​radarhere]
• Only prevent repeated polygon pixels when drawing with transparency #5835 [@​radarhere]
• Fix pushes_fd method signature #5833 [@​hoodmane]
• Add support for pickling TrueType fonts #5826 [@​hugovk]
• Only prefer command line tools SDK on macOS over default MacOSX SDK #5828 [@​radarhere]
• Fix compilation on 64-bit Termux #5793 [@​landfillbaby]
• Replace 'setup.py sdist' with '-m build --sdist' #5785 [@​hugovk]
• Use declarative package configuration #5784 [@​hugovk]
• Use title for display in ImageShow #5788 [@​radarhere]
• Fix for PyQt6 #5775 [@​hugovk]

... (truncated)

Changelog

Sourced from pillow's changelog.

9.0.0 (2022-01-02)

• Restrict builtins for ImageMath.eval(). CVE-2022-22817 #5923 [radarhere]

• Ensure JpegImagePlugin stops at the end of a truncated file #5921 [radarhere]

• Fixed ImagePath.Path array handling. CVE-2022-22815, CVE-2022-22816 #5920 [radarhere]

• Remove consecutive duplicate tiles that only differ by their offset #5919 [radarhere]

• Improved I;16 operations on big endian #5901 [radarhere]

• Limit quantized palette to number of colors #5879 [radarhere]

• Fixed palette index for zeroed color in FASTOCTREE quantize #5869 [radarhere]

• When saving RGBA to GIF, make use of first transparent palette entry #5859 [radarhere]

• Pass SAMPLEFORMAT to libtiff #5848 [radarhere]

• Added rounding when converting P and PA #5824 [radarhere]

• Improved putdata() documentation and data handling #5910 [radarhere]

• Exclude carriage return in PDF regex to help prevent ReDoS #5912 [hugovk]

• Fixed freeing pointer in ImageDraw.Outline.transform #5909 [radarhere]

• Added ImageShow support for xdg-open #5897 [m-shinder, radarhere]

• Support 16-bit grayscale ImageQt conversion #5856 [cmbruns, radarhere]

• Convert subsequent GIF frames to RGB or RGBA #5857 [radarhere]

... (truncated)

Commits

• 82541b6 9.0.0 version bump
• cae5ac4 Merge pull request #5924 from radarhere/cves
• ed4cf78 CVEs TBD
• d7f60d1 Merge pull request #5923 from radarhere/imagemath_eval
• 8531b01 Restrict builtins for ImageMath.eval
• 1efb1d9 Merge pull request #5922 from radarhere/releasenotes
• f6c7871 Added release notes for #5919, #5920 and #5921
• 032d2dc Update CHANGES.rst [ci skip]
• baae9ec Merge pull request #5921 from radarhere/jpeg_eoi
• 1059eb5 If appended EOI did not work, do not keep trying
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/alvarouc/polyssifier/network/alerts).

[coveralls]

Coverage remained the same at 92.514% when pulling cb7ea84f4822b06e31196a76bef287bf17c9e0b9 on dependabot/pip/pillow-9.0.0 into 25ae479ab6f0c975b10583e3a89d0cdf3ca5ae50 on master.

[dependabot[bot]]

Superseded by #21.