python-pillow/Pillow

Jeffrey 'Alex' Clark 6e1ccab749 Address review feedback on INCIDENT_RESPONSE.md

- Update CVSS v3.1 to CVSS 4.0 throughout
- Remove 'Direct maintainer contact' from detection sources
- Fix 'before it stays public' wording for user bug reports
- Simplify sections 7.3 and 7.4 to reference RELEASING.md instead
  of duplicating release process steps
- Update RELEASING.md Point release section with security-specific
  steps (amend CVE in commits, publish GitHub Security Advisory)
- Fix PyPI API tokens entry (remove GitHub secrets reference)
- Fix 404 PyPI manage URL (use correct case and /releases/ path)
- Replace security@pypi.org mailto with https://pypi.org/security/
- Remove unconfirmed 'Notify GitHub Security' bullet
- Fix section numbering: 10.x → 9.x under Section 9. Dependency Map
- Reorder: move 9.3 Responding to Upstream Vulnerability before 9.3
  Downstream Dependencies (now 9.2 and 9.3 respectively)
- Add anchor link for Section 5 reference in 9.2
- Add #plugin-list anchor to third-party plugins handbook link
- Fix GitLab issue tracker URLs to use /-/work_items for libtiff,
  freetype2, and bzip2
- Add pyproject.toml reference for complete optional dependencies list

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

2026-04-10 10:58:43 -04:00

3.1 KiB

Raw Blame History

Release checklist

See https://pillow.readthedocs.io/en/stable/releasenotes/versioning.html for information about how the version numbers line up with releases.

Main release

Released quarterly on January 2nd, April 1st, July 1st and October 15th.

Create a new issue and select the "Maintainers only: Release" template.

Point release

Released as needed for security, installation or critical bug fixes.

Make necessary changes in main branch.
Check out release branch e.g.:
```
git checkout -t remotes/origin/5.2.x
```
Cherry pick individual commits from main branch to release branch e.g. 5.2.x, then git push.
If this is a security fix: amend commits to include the CVE identifier in the commit message.
Check GitHub Actions to confirm passing tests in release branch e.g. 5.2.x.
In compliance with PEP 440, update version identifier in src/PIL/_version.py
Run pre-release check via make release-test.
Create tag for release e.g.:
```
git tag 5.2.1
git push --tags
```
Create and check source distribution:
```
make sdist
```
Check the GitHub Actions "Wheels" workflow has passed, including the "Upload release to PyPI" job. This will have been triggered by the new tag.
Publish the release on GitHub and then:
```
git push
```
If this is a security fix: publish the GitHub Security Advisory.

Embargoed release

Released as needed privately to individual vendors for critical security-related bug fixes.

Prepare patch for all versions that will get a fix. Test against local installations.
Commit against main, cherry pick to affected release branches.
Run local test matrix on each release & Python version.
Privately send to distros.
Run pre-release check via make release-test
Amend any commits with the CVE #

On release date, tag and push to GitHub.

git checkout 2.5.x
git tag 2.5.3
git push origin --tags

Check the GitHub Actions "Wheels" workflow has passed, including the "Upload release to PyPI" job. This will have been triggered by the new tag.
Publish the release on GitHub and then:
```
git push origin 2.5.x
```

Publicize release

Announce release availability via Mastodon e.g. https://fosstodon.org/@pillow/110639450470725321

Documentation

Make sure the default version for Read the Docs is up-to-date with the release changes

Docker images

Update Pillow in the Docker Images repository

git clone https://github.com/python-pillow/docker-images
cd docker-images
./update-pillow-tag.sh [[release tag]]