thumbor/thumbor 7.8.0

Release 7.8.0

on GitHub

Security

This release includes fixes for multiple privately reported security issues.
Users running thumbor in production are strongly encouraged to upgrade to
7.8.0.

Fixed issues include:

• file_loader path confinement bypasses that could allow reads outside
  FILE_LOADER_ROOT_PATH in affected configurations.
• URL signature validation bypass involving repeated or encoded hash prefixes.
• ALLOWED_SOURCES pattern hardening for string-based source restrictions.
• Denial of service fixes in the convolution filter.
• Denial of service fix in the proportion filter.

Security advisories will be published with more details and CVE/GHSA references.

What's Changed

• Remove deprecated license classifier in favor of SPDX expression by @marcelometal in #1738
• Bump CairoSVG to 2.8.2 by @marcelometal in #1737
• Bump setuptools to >=78.1.1 by @marcelometal in #1736
• Expand Pillow version range to allow versions up to <12.0.0 by @marcelometal in #1732
• Fix SyntaxWarning for invalid escape sequence in byte regex by @marcelometal in #1741
• Update base image from bullseye to trixie by @marcelometal in #1748
• chore(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in #1749
• chore(deps): bump actions/download-artifact from 4 to 5 by @dependabot[bot] in #1750
• chore(deps): bump pypa/gh-action-pypi-publish from 1.12.4 to 1.13.0 in /.github/workflows by @dependabot[bot] in #1752
• Drop support for Python 3.9 by @marcelometal in #1747
• chore(deps): bump actions/stale from 9 to 10 by @dependabot[bot] in #1759
• chore(deps): bump actions/setup-python from 5 to 6 by @dependabot[bot] in #1758
• Remove legacy .continuousrc file by @marcelometal in #1756
• Remove duplicate test file by @sephii in #1754
• Migrate legacy issue template to new YAML-based format by @marcelometal in #1755
• Use full SHA for third-party actions by @marcelometal in #1761
• Update pre-commit hooks to latest versions by @marcelometal in #1767
• chore(deps): bump actions/download-artifact from 5 to 6 by @dependabot[bot] in #1769
• chore(deps): bump docker/login-action from 3.0.0 to 3.6.0 by @dependabot[bot] in #1770
• chore(deps): bump github/codeql-action from 3 to 4 by @dependabot[bot] in #1772
• chore(deps): bump docker/build-push-action from 5.0.0 to 6.18.0 by @dependabot[bot] in #1771
• chore(deps): bump psf/black from 25.9.0 to 25.11.0 by @dependabot[bot] in #1778
• chore(deps): bump docker/setup-buildx-action from 3.0.0 to 3.11.1 by @dependabot[bot] in #1777
• chore(deps): bump actions/download-artifact from 6 to 7 by @dependabot[bot] in #1782
• chore(deps): bump docker/metadata-action from 5.0.0 to 5.10.0 by @dependabot[bot] in #1783
• chore(deps): bump actions/upload-artifact from 4 to 6 by @dependabot[bot] in #1787
• chore(deps): bump docker/login-action from 3.6.0 to 3.7.0 by @dependabot[bot] in #1786
• chore(deps): bump docker/setup-qemu-action from 3.6.0 to 3.7.0 by @dependabot[bot] in #1780
• chore(deps): bump actions/upload-artifact from 6 to 7 by @dependabot[bot] in #1793
• Convert setup.py to pyproject.toml following PEP 621 by @marcelometal in #1745
• ci: Prevent actions from running twice on PRs by @guilhermef in #1798
• chore(deps): bump docker/build-push-action from 6.18.0 to 6.19.2 by @dependabot[bot] in #1791
• chore(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in #1779
• chore(deps): bump psf/black from 25.11.0 to 26.1.0 by @dependabot[bot] in #1792
• style: format code with black by @marcelometal in #1800
• Add AGENTS.md by @marcelometal in #1796
• Add SECURITY.md by @marcelometal in #1795
• docs: add official Docker image usage to README and hosting docs by @ritoban23 in #1766
• Maintain compatibility with multiple Pillow versions in ImageCms by @marcelometal in #1788
• fix package version metadata by @marcelometal in #1807
• chore(deps): bump docker/metadata-action from 5.10.0 to 6.0.0 by @dependabot[bot] in #1811
• chore(deps): bump actions/download-artifact from 7 to 8 by @dependabot[bot] in #1810
• chore(deps): bump docker/build-push-action from 6.19.2 to 7.0.0 by @dependabot[bot] in #1809
• chore(deps): bump docker/login-action from 3.7.0 to 4.0.0 by @dependabot[bot] in #1813
• chore(deps-dev): update pytest-cov requirement from <5.0.0,>=4.1.0 to >=4.1.0,<8.0.0 by @dependabot[bot] in #1815
• chore(deps-dev): update pre-commit requirement from <4.0.0,>=3.6.0 to >=3.6.0,<5.0.0 by @dependabot[bot] in #1812
• chore(deps-dev): update pytest-asyncio requirement from <1.0.0,>=0.23.3 to >=0.23.3,<2.0.0 by @dependabot[bot] in #1817
• chore(deps-dev): update pillow-heif requirement from <1.0.0,>=0.22.0 to >=0.22.0,<2.0.0 by @dependabot[bot] in #1816
• Add support to Python 3.14 by @marcelometal in #1775
• chore(deps-dev): update pylint requirement from <4.0.0,>=3.0.3 to >=3.0.3,<5.0.0 by @dependabot[bot] in #1814
• chore(deps): bump pypa/cibuildwheel from 3.4.0 to 3.4.1 by @dependabot[bot] in #1820
• chore(deps): bump docker/build-push-action from 7.0.0 to 7.1.0 by @dependabot[bot] in #1821
• chore(deps): bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 by @dependabot[bot] in #1822
• chore(deps-dev): update isort requirement from <6.0.0,>=5.13.2 to >=5.13.2,<9.0.0 by @dependabot[bot] in #1825
• chore: make imports compatible with isort 8 by @marcelometal in #1829
• Remove unused webcolors direct dependency by @marcelometal in #1830
• chore(deps-dev): update sentry-sdk requirement from <2.0.0,>=1.39.1 to >=1.39.1,<3.0.0 by @dependabot[bot] in #1827
• chore(deps): update pytz requirement from <2024.0.0,>=2023.3.post1 to >=2023.3.post1,<2027.0.0 by @dependabot[bot] in #1824
• chore(deps): update pillow requirement from <12.0.0,>=10.4.0 to >=10.4.0,<13.0.0 by @dependabot[bot] in #1823
• Remove run-time dependency on setuptools by @cjwatson in #1789
• Use tuple for TIFF header startswith check by @marcelometal in #1831
• Add metrics for filters by @marcelometal in #1806
• Respect ALLOWED_SOURCES in the frame filter by @4390c336 in #1819
• ci: Run ARM build on matching runner by @guilhermef in #1799

New Contributors

• @sephii made their first contribution in #1754
• @ritoban23 made their first contribution in #1766
• @cjwatson made their first contribution in #1789
• @4390c336 made their first contribution in #1819

Full Changelog: 7.7.7...7.8.0