Bundled libpng needs upgrade due to CVEs

[alexaryn]

Currently, wheels-dependencies.sh lists LIBPNG_VERSION=1.6.53. That version of libpng contains the following vulnerabilities:

• CVE-2026-22695
• CVE-2026-22801

An upgrade to libpng 1.6.54 should resolve them. It would be great to have a new release of Pillow that bundles the newer libpng. Otherwise, software deployments utilizing Pillow will fail automated security scans.

[radarhere]

I've created #9397

If there's a serious security problem, we are open to additional releases, but adding another release every time a dependency is updated would make for a very haphazard schedule. Exactly when another release is warranted is not super clear, but looking at https://github.com/pnggroup/libpng/security, libpng 1.6.51, 1.6.52 and 1.6.54 all fixed vulnerabilities within the last two months. If we did this every time, that would have been potentially three extra releases?

Just to provide some additional information - libpng 1.6.54 was only released on January 13. Our next release is scheduled for April 1. Whenever you would like a change not yet released, there is naturally the alternative of building Pillow from source yourself.

[alexaryn]

@radarhere, that sounds pretty reasonable, given the amount of work associated with releasing software. That said, it's common for projects to have a 30-day response time for HIGH CVEs (and even faster for CRITICAL). It might make sense to consider a lightweight release process involving branching from the most recent release just to update dependencies.

[aclark4life]

It might make sense to consider a lightweight release process involving branching from the most recent release just to update dependencies.

We have release branches and we can backport from main to those release branches if need be. I don't think we plan on getting into the dependency-update-release-business, except on a case by cases basis as @radarhere says. Also, if this were a critical issue for Pillow I'd expect it to be reported elsewhere.