Stirling-PDF

Mirrors/Stirling-PDF

Fork 0

mirror of https://github.com/Frooodle/Stirling-PDF.git synced 2026-02-01 20:10:35 +01:00

Commit Graph

Author	SHA1	Message	Date
Anthony Stirling	68ed54e398	V1 merge (#5193 ) # Description of Changes <!-- Please provide a summary of the changes, including: - What was changed - Why the change was made - Any challenges encountered Closes #(issue_number) --> --- ## Checklist ### General - [ ] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [ ] I have read the [Stirling-PDF Developer Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md) (if applicable) - [ ] I have read the [How to add new languages to Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md) (if applicable) - [ ] I have performed a self-review of my own code - [ ] My changes generate no new warnings ### Documentation - [ ] I have updated relevant docs on [Stirling-PDF's doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) (if functionality has heavily changed) - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only) ### UI Changes (if applicable) - [ ] Screenshots or videos demonstrating the UI changes are attached (e.g., as comments or direct attachments in the PR) ### Testing (if applicable) - [ ] I have tested my changes locally. Refer to the [Testing Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing) for more details. --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Balázs Szücs <bszucs1209@gmail.com> Signed-off-by: stirlingbot[bot] <stirlingbot[bot]@users.noreply.github.com> Co-authored-by: ConnorYoh <40631091+ConnorYoh@users.noreply.github.com> Co-authored-by: Connor Yoh <connor@stirlingpdf.com> Co-authored-by: OUNZAR Aymane <aymane.ounzar@imt-atlantique.net> Co-authored-by: YAOU Reda <yaoureda24@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: stirlingbot[bot] <195170888+stirlingbot[bot]@users.noreply.github.com> Co-authored-by: Balázs Szücs <127139797+balazs-szucs@users.noreply.github.com> Co-authored-by: Ludy <Ludy87@users.noreply.github.com> Co-authored-by: tkymmm <136296842+tkymmm@users.noreply.github.com> Co-authored-by: Peter Dave Hello <hsu@peterdavehello.org> Co-authored-by: albanobattistella <34811668+albanobattistella@users.noreply.github.com> Co-authored-by: PingLin8888 <88387490+PingLin8888@users.noreply.github.com> Co-authored-by: FdaSilvaYY <FdaSilvaYY@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: OteJlo <106060728+OteJlo@users.noreply.github.com> Co-authored-by: Angel <41905618+TheShadowAngel@users.noreply.github.com> Co-authored-by: Ricardo Catarino <ricardomicc@gmail.com> Co-authored-by: Luis Antonio Argüelles González <luis.arguelles@encora.com> Co-authored-by: Dawid Urbański <31166488+urbaned121@users.noreply.github.com> Co-authored-by: Stephan Paternotte <Stephan-P@users.noreply.github.com> Co-authored-by: Leonardo Santos Paulucio <leonardo.paulucio@hotmail.com> Co-authored-by: hamza khalem <72972114+hamzakhalem@users.noreply.github.com> Co-authored-by: IT Creativity + Art Team <admin@it-playground.net> Co-authored-by: Reece Browne <74901996+reecebrowne@users.noreply.github.com> Co-authored-by: James Brunton <jbrunton96@gmail.com> Co-authored-by: Victor Villarreal <133383186+vvillarreal-cfee@users.noreply.github.com>	2025-12-21 10:40:32 +00:00
Ludy	655471ef29	fix(ci): 🛡️ mitigate CVE-2025-8869 by enforcing wheels-only pip installs and upgrading pinned dependencies (#4598 ) # Description of Changes This PR mitigates CVE-2025-8869 (GHSA-4xh5-x5gv-qwph), a high-severity vulnerability in `pip` ≤ 25.2 that allows arbitrary file overwrite via unsafe tar extraction in sdist fallback handling. What was changed: - Added environment variables to all GitHub Actions (`pre_commit.yml`, `sync_files.yml`) to enforce binary-only installs: - `PIP_ONLY_BINARY=":all:"` - `PIP_DISABLE_PIP_VERSION_CHECK="1"` - Updated multiple `.github/scripts/.txt` requirements to use Python 3.12 as the generation base. - Upgraded pinned dependencies to latest secure versions: - `filelock 3.19.1`, `identify 2.6.15`, `platformdirs 4.4.0`, `pyyaml 6.0.3`, `behave 1.3.3`, `pypdf 6.1.1`, `reportlab 4.4.4`, `requests 2.32.5` - Adjusted file path formatting (`\` → `/`) for consistent cross-platform compatibility. Why the change was made:* To prevent exploitation of the tar extraction vulnerability in vulnerable pip versions when installing from source distributions during CI runs. --- ## Checklist ### General - [ ] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [ ] I have read the [Stirling-PDF Developer Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md) (if applicable) - [ ] I have read the [How to add new languages to Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md) (if applicable) - [ ] I have performed a self-review of my own code - [ ] My changes generate no new warnings ### Documentation - [ ] I have updated relevant docs on [Stirling-PDF's doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) (if functionality has heavily changed) - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only) ### UI Changes (if applicable) - [ ] Screenshots or videos demonstrating the UI changes are attached (e.g., as comments or direct attachments in the PR) ### Testing (if applicable) - [ ] I have tested my changes locally. Refer to the [Testing Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing) for more details.	2025-10-04 12:50:37 +01:00
Ludy	f5f011f1e0	deps: Pin Python dev dependencies and lock hashes to remediate security alert 302 (#4173 ) ## Description of Changes - What was changed - Added `.github/scripts/requirements_dev.in` and an autogenerated, hash-locked `.github/scripts/requirements_dev.txt` to control Python dev dependencies via `pip-compile`. - Why the change was made - To remediate a GitHub code scanning alert by removing vulnerable transitive ranges and ensuring reproducible installs with vetted versions and hashes. - Any challenges encountered - Reconciling version constraints among image/PDF tooling (e.g., Pillow, pdf2image, OpenCV, WeasyPrint) while keeping wheels available across CI platforms. - Ensuring the generated lockfile remains maintainable and can be refreshed with `pip-compile` when needed. Closes #https://github.com/Stirling-Tools/Stirling-PDF/security/code-scanning/302 --- ## Checklist ### General - [x] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [x] I have read the [Stirling-PDF Developer Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md) (if applicable) - [ ] I have read the [How to add new languages to Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md) (if applicable) - [ ] I have performed a self-review of my own code - [ ] My changes generate no new warnings ### Documentation - [ ] I have updated relevant docs on [Stirling-PDF's doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) (if functionality has heavily changed) - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only) ### UI Changes (if applicable) - [ ] Screenshots or videos demonstrating the UI changes are attached (e.g., as comments or direct attachments in the PR) ### Testing (if applicable) - [ ] I have tested my changes locally. Refer to the [Testing Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing) for more details.	2025-08-24 22:03:12 +01:00

Author

SHA1

Message

Date

Anthony Stirling

68ed54e398

V1 merge (#5193 )

# Description of Changes

<!--
Please provide a summary of the changes, including:

- What was changed
- Why the change was made
- Any challenges encountered

Closes #(issue_number)
-->

---

## Checklist

### General

- [ ] I have read the [Contribution
Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md)
- [ ] I have read the [Stirling-PDF Developer
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md)
(if applicable)
- [ ] I have read the [How to add new languages to
Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md)
(if applicable)
- [ ] I have performed a self-review of my own code
- [ ] My changes generate no new warnings

### Documentation

- [ ] I have updated relevant docs on [Stirling-PDF's doc
repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/)
(if functionality has heavily changed)
- [ ] I have read the section [Add New Translation
Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags)
(for new translation tags only)

### UI Changes (if applicable)

- [ ] Screenshots or videos demonstrating the UI changes are attached
(e.g., as comments or direct attachments in the PR)

### Testing (if applicable)

- [ ] I have tested my changes locally. Refer to the [Testing
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing)
for more details.

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Balázs Szücs <bszucs1209@gmail.com>
Signed-off-by: stirlingbot[bot] <stirlingbot[bot]@users.noreply.github.com>
Co-authored-by: ConnorYoh <40631091+ConnorYoh@users.noreply.github.com>
Co-authored-by: Connor Yoh <connor@stirlingpdf.com>
Co-authored-by: OUNZAR Aymane <aymane.ounzar@imt-atlantique.net>
Co-authored-by: YAOU Reda <yaoureda24@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: stirlingbot[bot] <195170888+stirlingbot[bot]@users.noreply.github.com>
Co-authored-by: Balázs Szücs <127139797+balazs-szucs@users.noreply.github.com>
Co-authored-by: Ludy <Ludy87@users.noreply.github.com>
Co-authored-by: tkymmm <136296842+tkymmm@users.noreply.github.com>
Co-authored-by: Peter Dave Hello <hsu@peterdavehello.org>
Co-authored-by: albanobattistella <34811668+albanobattistella@users.noreply.github.com>
Co-authored-by: PingLin8888 <88387490+PingLin8888@users.noreply.github.com>
Co-authored-by: FdaSilvaYY <FdaSilvaYY@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: OteJlo <106060728+OteJlo@users.noreply.github.com>
Co-authored-by: Angel <41905618+TheShadowAngel@users.noreply.github.com>
Co-authored-by: Ricardo Catarino <ricardomicc@gmail.com>
Co-authored-by: Luis Antonio Argüelles González <luis.arguelles@encora.com>
Co-authored-by: Dawid Urbański <31166488+urbaned121@users.noreply.github.com>
Co-authored-by: Stephan Paternotte <Stephan-P@users.noreply.github.com>
Co-authored-by: Leonardo Santos Paulucio <leonardo.paulucio@hotmail.com>
Co-authored-by: hamza khalem <72972114+hamzakhalem@users.noreply.github.com>
Co-authored-by: IT Creativity + Art Team <admin@it-playground.net>
Co-authored-by: Reece Browne <74901996+reecebrowne@users.noreply.github.com>
Co-authored-by: James Brunton <jbrunton96@gmail.com>
Co-authored-by: Victor Villarreal <133383186+vvillarreal-cfee@users.noreply.github.com>

2025-12-21 10:40:32 +00:00

Ludy

655471ef29

fix(ci): 🛡️ mitigate CVE-2025-8869 by enforcing wheels-only pip installs and upgrading pinned dependencies (#4598 )

# Description of Changes

This PR mitigates **CVE-2025-8869** (GHSA-4xh5-x5gv-qwph), a
high-severity vulnerability in `pip` ≤ 25.2 that allows arbitrary file
overwrite via unsafe tar extraction in sdist fallback handling.

**What was changed:**
- Added environment variables to all GitHub Actions (`pre_commit.yml`,
`sync_files.yml`) to **enforce binary-only installs**:
  - `PIP_ONLY_BINARY=":all:"`
  - `PIP_DISABLE_PIP_VERSION_CHECK="1"`
- Updated multiple `.github/scripts/*.txt` requirements to use Python
3.12 as the generation base.
- Upgraded pinned dependencies to latest secure versions:
- `filelock 3.19.1`, `identify 2.6.15`, `platformdirs 4.4.0`, `pyyaml
6.0.3`, `behave 1.3.3`, `pypdf 6.1.1`, `reportlab 4.4.4`, `requests
2.32.5`
- Adjusted file path formatting (`\` → `/`) for consistent
cross-platform compatibility.

**Why the change was made:**
To prevent exploitation of the tar extraction vulnerability in
vulnerable pip versions when installing from source distributions during
CI runs.

---

## Checklist

### General

- [ ] I have read the [Contribution
Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md)
- [ ] I have read the [Stirling-PDF Developer
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md)
(if applicable)
- [ ] I have read the [How to add new languages to
Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md)
(if applicable)
- [ ] I have performed a self-review of my own code
- [ ] My changes generate no new warnings

### Documentation

- [ ] I have updated relevant docs on [Stirling-PDF's doc
repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/)
(if functionality has heavily changed)
- [ ] I have read the section [Add New Translation
Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags)
(for new translation tags only)

### UI Changes (if applicable)

- [ ] Screenshots or videos demonstrating the UI changes are attached
(e.g., as comments or direct attachments in the PR)

### Testing (if applicable)

- [ ] I have tested my changes locally. Refer to the [Testing
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing)
for more details.

2025-10-04 12:50:37 +01:00

Ludy

f5f011f1e0

deps: Pin Python dev dependencies and lock hashes to remediate security alert 302 (#4173 )

## Description of Changes

- **What was changed**
- Added `.github/scripts/requirements_dev.in` and an autogenerated,
hash-locked `.github/scripts/requirements_dev.txt` to control Python dev
dependencies via `pip-compile`.
- **Why the change was made**
- To remediate a GitHub code scanning alert by removing vulnerable
transitive ranges and ensuring reproducible installs with vetted
versions and hashes.
- **Any challenges encountered**
- Reconciling version constraints among image/PDF tooling (e.g., Pillow,
pdf2image, OpenCV, WeasyPrint) while keeping wheels available across CI
platforms.
- Ensuring the generated lockfile remains maintainable and can be
refreshed with `pip-compile` when needed.



Closes
#https://github.com/Stirling-Tools/Stirling-PDF/security/code-scanning/302

---

## Checklist

### General

- [x] I have read the [Contribution
Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md)
- [x] I have read the [Stirling-PDF Developer
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md)
(if applicable)
- [ ] I have read the [How to add new languages to
Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md)
(if applicable)
- [ ] I have performed a self-review of my own code
- [ ] My changes generate no new warnings

### Documentation

- [ ] I have updated relevant docs on [Stirling-PDF's doc
repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/)
(if functionality has heavily changed)
- [ ] I have read the section [Add New Translation
Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags)
(for new translation tags only)

### UI Changes (if applicable)

- [ ] Screenshots or videos demonstrating the UI changes are attached
(e.g., as comments or direct attachments in the PR)

### Testing (if applicable)

- [ ] I have tested my changes locally. Refer to the [Testing
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing)
for more details.

2025-08-24 22:03:12 +01:00

3 Commits