From ce6be8b774da131e58d8dcd6eb8d06a770244d8b Mon Sep 17 00:00:00 2001
From: Cory Bullinger <cory.bullinger@mongodb.com>
Date: Wed, 6 May 2026 08:55:33 -0400
Subject: [PATCH] fix(python-fastapi): bump pillow and python-dotenv for
 security advisories

- pillow 12.2.0 (CVE-2026-42308 through CVE-2026-42311, GHSA-5xmw-vc9v-4wf2, etc.)
- python-dotenv 1.2.2 (CVE-2026-28684, GHSA-mf9w-mj56-hr94)

Addresses Dependabot alerts #47-51 on mongodb/docs-sample-apps.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 mflix/server/python-fastapi/requirements.in  | 4 ++--
 mflix/server/python-fastapi/requirements.txt | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/mflix/server/python-fastapi/requirements.in b/mflix/server/python-fastapi/requirements.in
index 733e165..f798bfe 100644
--- a/mflix/server/python-fastapi/requirements.in
+++ b/mflix/server/python-fastapi/requirements.in
@@ -14,7 +14,7 @@ watchfiles~=1.1.1       # For hot-reloading in development
 # Primary libraries for data models and environment config.
 # ------------------------------------------------------------------------------
 pydantic~=2.12.5        # Data validation and settings management
-python-dotenv~=1.1.1    # For loading configuration from .env files
+python-dotenv>=1.2.2    # For loading configuration from .env files (CVE-2026-28684)
 python-multipart>=0.0.22 # For parsing form data and file uploads
 PyYAML~=6.0.3           # For handling YAML configuration or data
 
@@ -65,5 +65,5 @@ filelock>=3.20.3        # Transitive dep via huggingface-hub
 aiohttp>=3.13.4         # Transitive dep via voyageai (CVE-2026-34525)
 orjson>=3.11.7          # Transitive dep via langsmith (CVE fix)
 langchain-core>=1.2.11  # Transitive dep via langchain-text-splitters (CVE-2026-26013 fix)
-pillow>=12.1.1          # Transitive dep via voyageai (CVE-2026-25990 fix)
+pillow>=12.2.0          # Transitive dep via voyageai (Pillow 12.2.0 security fixes)
 requests>=2.33.0        # Transitive dep via langsmith/voyageai (CVE-2026-25645 fix)
diff --git a/mflix/server/python-fastapi/requirements.txt b/mflix/server/python-fastapi/requirements.txt
index 3563232..4a51bab 100644
--- a/mflix/server/python-fastapi/requirements.txt
+++ b/mflix/server/python-fastapi/requirements.txt
@@ -127,7 +127,7 @@ packaging==26.0
     #   langchain-core
     #   langsmith
     #   pytest
-pillow==12.1.1
+pillow==12.2.0
     # via
     #   -r requirements.in
     #   voyageai
@@ -159,7 +159,7 @@ pytest==8.4.2
     #   pytest-asyncio
 pytest-asyncio==1.2.0
     # via -r requirements.in
-python-dotenv==1.1.1
+python-dotenv==1.2.2
     # via
     #   -r requirements.in
     #   uvicorn