Sourced from pillow's releases.

9.0.1

https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html

Changes

• In show_file, use os.remove to remove temporary images. CVE-2022-24303 #6010 [@​radarhere, @​hugovk]
• Restrict builtins within lambdas for ImageMath.eval. CVE-2022-22817 #6009 [radarhere]

9.0.0

https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html

Changes

• Restrict builtins for ImageMath.eval() #5923 [@​radarhere]
• Ensure JpegImagePlugin stops at the end of a truncated file #5921 [@​radarhere]
• Fixed ImagePath.Path array handling #5920 [@​radarhere]
• Remove consecutive duplicate tiles that only differ by their offset #5919 [@​radarhere]
• Removed redundant part of condition #5915 [@​radarhere]
• Explicitly enable strip chopping for large uncompressed TIFFs #5517 [@​kmilos]
• Use the Windows method to get TCL functions on Cygwin #5807 [@​DWesl]
• Changed error type to allow for incremental WebP parsing #5404 [@​radarhere]
• Improved I;16 operations on big endian #5901 [@​radarhere]
• Ensure that BMP pixel data offset does not ignore palette #5899 [@​radarhere]
• Limit quantized palette to number of colors #5879 [@​radarhere]
• Use latin1 encoding to decode bytes #5870 [@​radarhere]
• Fixed palette index for zeroed color in FASTOCTREE quantize #5869 [@​radarhere]
• When saving RGBA to GIF, make use of first transparent palette entry #5859 [@​radarhere]
• Pass SAMPLEFORMAT to libtiff #5848 [@​radarhere]
• Added rounding when converting P and PA #5824 [@​radarhere]
• Improved putdata() documentation and data handling #5910 [@​radarhere]
• Exclude carriage return in PDF regex to help prevent ReDoS #5912 [@​radarhere]
• Image.NONE is only used for resampling and dithers #5908 [@​radarhere]
• Fixed freeing pointer in ImageDraw.Outline.transform #5909 [@​radarhere]
• Add Tidelift alignment action and badge #5763 [@​aclark4life]
• Replaced further direct invocations of setup.py #5906 [@​radarhere]
• Added ImageShow support for xdg-open #5897 [@​m-shinder]
• Fixed typo #5902 [@​radarhere]
• Switched from deprecated "setup.py install" to "pip install ." #5896 [@​radarhere]
• Support 16-bit grayscale ImageQt conversion #5856 [@​cmbruns]
• Fixed raising OSError in _safe_read when size is greater than SAFEBLOCK #5872 [@​radarhere]
• Convert subsequent GIF frames to RGB or RGBA #5857 [@​radarhere]
• WebP: Fix memory leak during decoding on failure #5798 [@​ilai-deutel]
• Do not prematurely return in ImageFile when saving to stdout #5665 [@​infmagic2047]
• Added support for top right and bottom right TGA orientations #5829 [@​radarhere]
• Corrected ICNS file length in header #5845 [@​radarhere]
• Block tile TIFF tags when saving #5839 [@​radarhere]
• Added line width argument to ImageDraw polygon #5694 [@​radarhere]
• Do not redeclare class each time when converting to NumPy #5844 [@​radarhere]
• Only prevent repeated polygon pixels when drawing with transparency #5835 [@​radarhere]

... (truncated)

Sourced from pillow's changelog.

9.0.1 (2022-02-03)

• In show_file, use os.remove to remove temporary images. CVE-2022-24303 #6010 [radarhere, hugovk]

• Restrict builtins within lambdas for ImageMath.eval. CVE-2022-22817 #6009 [radarhere]

9.0.0 (2022-01-02)

• Restrict builtins for ImageMath.eval(). CVE-2022-22817 #5923 [radarhere]

• Ensure JpegImagePlugin stops at the end of a truncated file #5921 [radarhere]

• Fixed ImagePath.Path array handling. CVE-2022-22815, CVE-2022-22816 #5920 [radarhere]

• Remove consecutive duplicate tiles that only differ by their offset #5919 [radarhere]

• Improved I;16 operations on big endian #5901 [radarhere]

• Limit quantized palette to number of colors #5879 [radarhere]

• Fixed palette index for zeroed color in FASTOCTREE quantize #5869 [radarhere]

• When saving RGBA to GIF, make use of first transparent palette entry #5859 [radarhere]

• Pass SAMPLEFORMAT to libtiff #5848 [radarhere]

• Added rounding when converting P and PA #5824 [radarhere]

• Improved putdata() documentation and data handling #5910 [radarhere]

• Exclude carriage return in PDF regex to help prevent ReDoS #5912 [hugovk]

• Fixed freeing pointer in ImageDraw.Outline.transform #5909 [radarhere]

... (truncated)

• 6deac9e 9.0.1 version bump
• c04d812 Update CHANGES.rst [ci skip]
• 4fabec3 Added release notes for 9.0.1
• 02affaa Added delay after opening image with xdg-open
• ca0b585 Updated formatting
• 427221e In show_file, use os.remove to remove temporary images
• c930be0 Restrict builtins within lambdas for ImageMath.eval
• 75b69dd Dont need to pin for GHA
• cd938a7 Autolink CWE numbers with sphinx-issues
• 2e9c461 Add CVE IDs
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from setuptools's releases.

v65.5.1

No release notes provided.

v65.5.0

No release notes provided.

v65.4.1

No release notes provided.

v65.4.0

No release notes provided.

v65.3.0

No release notes provided.

v65.2.0

No release notes provided.

v65.1.1

No release notes provided.

v65.1.0

No release notes provided.

v65.0.2

No release notes provided.

v65.0.1

No release notes provided.

v65.0.0

No release notes provided.

v64.0.3

No release notes provided.

v64.0.2

No release notes provided.

v64.0.1

No release notes provided.

v64.0.0

No release notes provided.

v63.4.3

No release notes provided.

v63.4.2

No release notes provided.

... (truncated)

Sourced from setuptools's changelog.

v65.5.1

Misc ^^^^

• #3638: Drop a test dependency on the mock package, always use :external+python:py:mod:unittest.mock -- by :user:hroncok
• #3659: Fixed REDoS vector in package_index.

v65.5.0

Changes ^^^^^^^

• #3624: Fixed editable install for multi-module/no-package src-layout projects.
• #3626: Minor refactorings to support distutils using stdlib logging module.

Documentation changes ^^^^^^^^^^^^^^^^^^^^^

• #3419: Updated the example version numbers to be compliant with PEP-440 on the "Specifying Your Project’s Version" page of the user guide.

Misc ^^^^

• #3569: Improved information about conflicting entries in the current working directory and editable install (in documentation and as an informational warning).
• #3576: Updated version of validate_pyproject.

v65.4.1

Misc ^^^^

• #3613: Fixed encoding errors in expand.StaticModule when system default encoding doesn't match expectations for source files.
• #3617: Merge with pypa/[email protected] including fix for pypa/distutils#181.

v65.4.0

Changes ^^^^^^^

• #3609: Merge with pypa/[email protected] including support for DIST_EXTRA_CONFIG in pypa/distutils#177.

v65.3.0

... (truncated)

• a462cb5 Bump version: 65.5.0 → 65.5.1
• de35d8b Merge pull request #3656 from bmorris3/typos
• 58e23de Update changelog. Ref #3659.
• 43a9c9b Limit the amount of whitespace to search/backtrack. Fixes #3659.
• 5791343 Add test capturing failed expectation. Ref #3659.
• 1f97905 ⚫ Fade to black.
• 6254567 Remove workaround for emacs.
• 729b180 ⚫ Fade to black.
• c068081 Typo corrections
• f777a40 Suppress deprecation warning in --rsyncdir. Workaround for #3655.
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from wheel's changelog.

Release Notes

UNRELEASED

• Updated vendored packaging to 22.0

0.38.4 (2022-11-09)

• Fixed PKG-INFO conversion in bdist_wheel mangling UTF-8 header values in METADATA (PR by Anderson Bravalheri)

0.38.3 (2022-11-08)

• Fixed install failure when used with --no-binary, reported on Ubuntu 20.04, by removing setup_requires from setup.cfg

0.38.2 (2022-11-05)

• Fixed regression introduced in v0.38.1 which broke parsing of wheel file names with multiple platform tags

0.38.1 (2022-11-04)

• Removed install dependency on setuptools
• The future-proof fix in 0.36.0 for converting PyPy's SOABI into a abi tag was faulty. Fixed so that future changes in the SOABI will not change the tag.

0.38.0 (2022-10-21)

• Dropped support for Python < 3.7
• Updated vendored packaging to 21.3
• Replaced all uses of distutils with setuptools
• The handling of license_files (including glob patterns and default values) is now delegated to setuptools>=57.0.0 (#466). The package dependencies were updated to reflect this change.
• Fixed potential DoS attack via the WHEEL_INFO_RE regular expression
• Fixed ValueError: ZIP does not support timestamps before 1980 when using SOURCE_DATE_EPOCH=0 or when on-disk timestamps are earlier than 1980-01-01. Such timestamps are now changed to the minimum value before packaging.

0.37.1 (2021-12-22)

• Fixed wheel pack duplicating the WHEEL contents when the build number has changed (#415)
• Fixed parsing of file names containing commas in RECORD (PR by Hood Chatham)

0.37.0 (2021-08-09)

• Added official Python 3.10 support
• Updated vendored packaging library to v20.9

... (truncated)

• 6f1608d Created a new release
• cf8f5ef Moved news item from PR #484 to its proper place
• 9ec2016 Removed install dependency on setuptools (#483)
• 747e1f6 Fixed PyPy SOABI parsing (#484)
• 7627548 [pre-commit.ci] pre-commit autoupdate (#480)
• 7b9e8e1 Test on Python 3.11 final
• a04dfef Updated the pypi-publish action
• 94bb62c Fixed docs not building due to code style changes
• d635664 Updated the codecov action to the latest version
• fcb94cd Updated version to match the release
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from pillow's releases.

9.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/9.3.0.html

Changes

• Initialize libtiff buffer when saving #6699 [@​radarhere]
• Limit SAMPLESPERPIXEL to avoid runtime DOS #6700 [@​wiredfool]
• Inline fname2char to fix memory leak #6329 [@​nulano]
• Fix memory leaks related to text features #6330 [@​nulano]
• Use double quotes for version check on old CPython on Windows #6695 [@​hugovk]
• GHA: replace deprecated set-output command with GITHUB_OUTPUT file #6697 [@​nulano]
• Remove backup implementation of Round for Windows platforms #6693 [@​cgohlke]
• Upload fribidi.dll to GitHub Actions #6532 [@​nulano]
• Fixed set_variation_by_name offset #6445 [@​radarhere]
• Windows build improvements #6562 [@​nulano]
• Fix malloc in _imagingft.c:font_setvaraxes #6690 [@​cgohlke]
• Only use ASCII characters in C source file #6691 [@​cgohlke]
• Release Python GIL when converting images using matrix operations #6418 [@​hmaarrfk]
• Added ExifTags enums #6630 [@​radarhere]
• Do not modify previous frame when calculating delta in PNG #6683 [@​radarhere]
• Added support for reading BMP images with RLE4 compression #6674 [@​npjg]
• Decode JPEG compressed BLP1 data in original mode #6678 [@​radarhere]
• pylint warnings #6659 [@​marksmayo]
• Added GPS TIFF tag info #6661 [@​radarhere]
• Added conversion between RGB/RGBA/RGBX and LAB #6647 [@​radarhere]
• Do not attempt normalization if mode is already normal #6644 [@​radarhere]
• Fixed seeking to an L frame in a GIF #6576 [@​radarhere]
• Consider all frames when selecting mode for PNG save_all #6610 [@​radarhere]
• Don't reassign crc on ChunkStream close #6627 [@​radarhere]
• Raise a warning if NumPy failed to raise an error during conversion #6594 [@​radarhere]
• Only read a maximum of 100 bytes at a time in IMT header #6623 [@​radarhere]
• Show all frames in ImageShow #6611 [@​radarhere]
• Allow FLI palette chunk to not be first #6626 [@​radarhere]
• If first GIF frame has transparency for RGB_ALWAYS loading strategy, use RGBA mode #6592 [@​radarhere]
• Round box position to integer when pasting embedded color #6517 [@​radarhere]
• Removed EXIF prefix when saving WebP #6582 [@​radarhere]
• Pad IM palette to 768 bytes when saving #6579 [@​radarhere]
• Added DDS BC6H reading #6449 [@​ShadelessFox]
• Added support for opening WhiteIsZero 16-bit integer TIFF images #6642 [@​JayWiz]
• Raise an error when allocating translucent color to RGB palette #6654 [@​jsbueno]
• Moved mode check outside of loops #6650 [@​radarhere]
• Added reading of TIFF child images #6569 [@​radarhere]
• Improved ImageOps palette handling #6596 [@​PososikTeam]
• Defer parsing of palette into colors #6567 [@​radarhere]
• Apply transparency to P images in ImageTk.PhotoImage #6559 [@​radarhere]
• Use rounding in ImageOps contain() and pad() #6522 [@​bibinhashley]
• Fixed GIF remapping to palette with duplicate entries #6548 [@​radarhere]
• Allow remap_palette() to return an image with less than 256 palette entries #6543 [@​radarhere]
• Corrected BMP and TGA palette size when saving #6500 [@​radarhere]

... (truncated)

Sourced from pillow's changelog.

9.3.0 (2022-10-29)

• Limit SAMPLESPERPIXEL to avoid runtime DOS #6700 [wiredfool]

• Initialize libtiff buffer when saving #6699 [radarhere]

• Inline fname2char to fix memory leak #6329 [nulano]

• Fix memory leaks related to text features #6330 [nulano]

• Use double quotes for version check on old CPython on Windows #6695 [hugovk]

• Remove backup implementation of Round for Windows platforms #6693 [cgohlke]

• Fixed set_variation_by_name offset #6445 [radarhere]

• Fix malloc in _imagingft.c:font_setvaraxes #6690 [cgohlke]

• Release Python GIL when converting images using matrix operations #6418 [hmaarrfk]

• Added ExifTags enums #6630 [radarhere]

• Do not modify previous frame when calculating delta in PNG #6683 [radarhere]

• Added support for reading BMP images with RLE4 compression #6674 [npjg, radarhere]

• Decode JPEG compressed BLP1 data in original mode #6678 [radarhere]

• Added GPS TIFF tag info #6661 [radarhere]

• Added conversion between RGB/RGBA/RGBX and LAB #6647 [radarhere]

• Do not attempt normalization if mode is already normal #6644 [radarhere]

... (truncated)

• d594f4c Update CHANGES.rst [ci skip]
• 909dc64 9.3.0 version bump
• 1a51ce7 Merge pull request #6699 from hugovk/security-libtiff_buffer
• 2444cdd Merge pull request #6700 from hugovk/security-samples_per_pixel-sec
• 744f455 Added release notes
• 0846bfa Add to release notes
• 799a6a0 Fix linting
• 00b25fd Hide UserWarning in logs
• 05b175e Tighter test case
• 13f2c5a Prevent DOS with large SAMPLESPERPIXEL in Tiff IFD
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.