diff --git a/.github/workflows/run_unittest_on_pr_open.yml b/.github/workflows/run_unittest_on_pr_open.yml index c50fde17..39cba2a7 100644 --- a/.github/workflows/run_unittest_on_pr_open.yml +++ b/.github/workflows/run_unittest_on_pr_open.yml @@ -12,11 +12,11 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - python-version: ["3.7", "3.8", "3.9", "3.10", "3.11"] + python-version: ["3.8", "3.9", "3.10", "3.11"] steps: - uses: actions/checkout@v3 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} - name: Install dependencies diff --git a/README.md b/README.md index a2bf8b08..a797f8bc 100755 --- a/README.md +++ b/README.md @@ -1,7 +1,8 @@ # mlb-led-scoreboard -![Current Version](https://img.shields.io/github/v/release/MLB-LED-Scoreboard/MLB-LED-Scoreboard) [![Join Discord](https://img.shields.io/badge/discord-join-blue.svg)](https://discord.gg/FdD6ec9fdt) +![Current Version](https://img.shields.io/github/v/release/MLB-LED-Scoreboard/MLB-LED-Scoreboard) ![](https://img.shields.io/badge/python-3.8_%7C_3.9_%7C_3.10_%7C_3.11-blue) +[![Join Discord](https://img.shields.io/badge/discord-join-green.svg)](https://discord.gg/FdD6ec9fdt) Project header diff --git a/main.py b/main.py index aed14378..563c3d8e 100755 --- a/main.py +++ b/main.py @@ -21,21 +21,7 @@ import threading import time -# TODO: This code addresses CVE-2023-4863 in Pillow < 10.0.1, which requires Python 3.8+ -# See requirements.txt for rationale. -try: - from PIL import Image - - pil_version = tuple(map(int, Image.__version__.split("."))) - if pil_version < (10, 0, 1): - debug.warning(f"Attempted to load an insecure PIL version ({Image.__version__}). We require PIL 10.0.1 or higher.") - - raise ModuleNotFoundError - - PIL_LOADED = True -except: - debug.warning("PIL failed to load -- images will not be displayed.") - PIL_LOADED = False +from PIL import Image # Important! Import the driver first to initialize it, then import submodules as needed. import driver @@ -74,7 +60,7 @@ def main(matrix, config_base): # MLB image disabled when using renderer, for now. # see: https://github.com/ty-porter/RGBMatrixEmulator/issues/9#issuecomment-922869679 - if os.path.exists(logo_path) and driver.is_hardware() and PIL_LOADED: + if os.path.exists(logo_path) and driver.is_hardware(): logo = Image.open(logo_path) matrix.SetImage(logo.convert("RGB")) logo.close() diff --git a/renderers/offday.py b/renderers/offday.py index 94a4a042..338b70c3 100644 --- a/renderers/offday.py +++ b/renderers/offday.py @@ -2,13 +2,7 @@ import time -try: - from PIL import Image - - PIL_LOADED = True -except: - - PIL_LOADED = False +from PIL import Image from data.time_formats import TIME_FORMAT_12H from data.config.color import Color @@ -44,10 +38,9 @@ def __render_clock(canvas, layout, colors, time_format): def __render_weather(canvas, layout, colors, weather): if weather.available(): - if PIL_LOADED: - image_file = weather.icon_filename() - weather_icon = Image.open(image_file) - __render_weather_icon(canvas, layout, colors, weather_icon) + image_file = weather.icon_filename() + weather_icon = Image.open(image_file) + __render_weather_icon(canvas, layout, colors, weather_icon) __render_weather_text(canvas, layout, colors, weather.conditions, "conditions") __render_weather_text(canvas, layout, colors, weather.temperature_string(), "temperature") __render_weather_text(canvas, layout, colors, weather.wind_speed_string(), "wind_speed") diff --git a/requirements.txt b/requirements.txt index 50f84928..3f95f664 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,17 +1,6 @@ feedparser==6.0.10 MLB_StatsAPI>=1.6.1 -# PIL is affected by CVE-2023-4863 -# https://nvd.nist.gov/vuln/detail/CVE-2023-4863 -# -# The vulnerability is patched in Pillow >= 10.0.1. This version does not support Python 3.7 due to this version being end-of-life. -# Python 3.7.3 is the default Python version for Raspbian / Raspberry Pi OS, and upgrading Python versions is difficult for non-technical users. -# -# Therefore, addressing the CVE at this time would be a breaking change for most users without an easy upgrade path to Python 3.8+. -# -# Dependabot PR: -# https://github.com/MLB-LED-Scoreboard/mlb-led-scoreboard/pull/502 -# -# Pillow==9.3.1 +Pillow>=10.0.1 pyowm==3.3.0 RGBMatrixEmulator>=0.8.4 tzlocal==4.2