Fix Dependabot security alerts: bump nbconvert to 7.17.0 and pillow to 12.1.1

[Copilot]

Two vulnerable indirect dev dependencies were being locked at unsafe versions due to loose transitive constraints. Addresses Dependabot alerts #32 (nbconvert) and #33 (pillow).

Changes

pyproject.toml

• Added explicit lower bounds in [dependency-groups] dev:
  • nbconvert (>=7.17.0) — previously jupyter-server's >=6.4.4 constraint allowed the vulnerable 7.16.6 to be resolved
  • pillow (>=12.1.1) — previously matplotlib's >=8 constraint allowed the vulnerable 12.0.0 (out-of-bounds write on PSD load, >=10.3.0,<12.1.1) to be resolved

poetry.lock

• Regenerated using Poetry 2.2.1 (matching the version pinned in .github/actions/ci-setup/action.yml) to resolve nbconvert==7.17.0 and pillow==12.1.1

.github/workflows/ci.yml

• Removed --ignore-vuln GHSA-xm59-rqc7-hhvf from the pip-audit step — this suppression was added when the nbconvert fix was unavailable and is no longer needed

Original prompt

Fix two open Dependabot security alerts in Renumics/mesh2vec

There are two open Dependabot security alerts that need to be fixed manually by updating the pyproject.toml and poetry.lock:

Alert #32 — nbconvert vulnerability (dev dependency)

• Package: nbconvert (indirect dev dependency, pulled in via notebook)
• Issue: A vulnerability existed in nbconvert that had no fix at the time (Jan 2026). It was previously ignored via commit 4baa8a5 ("Ignore nbconvert vulnerability since dev dependency and not yet fixed").
• Fix: nbconvert >= 7.17.0 is now patched and available. The notebook dev dependency in pyproject.toml is currently notebook (>=7.4.7,<8.0.0). Update the minimum version of notebook to ensure nbconvert>=7.17.0 is resolved, and regenerate / update poetry.lock to pull in the patched nbconvert 7.17.0.

Alert #33 — pillow out-of-bounds write when loading PSD images

• Package: pillow (indirect dependency, pulled in via other packages in poetry.lock)
• CVE: Out-of-bounds write vulnerability when loading PSD images
• Affected versions: >= 10.3.0, < 12.1.1
• Patched version: 12.1.1
• Fix: Update poetry.lock so that pillow resolves to version 12.1.1 or later.

What to do

1. Look at the current pyproject.toml (at root of repo, branch master):

   • notebook (>=7.4.7,<8.0.0) is in the [dependency-groups] dev section
   • Consider tightening the lower bound of notebook if needed to force nbconvert>=7.17.0

2. Update poetry.lock to:

   • Resolve nbconvert to >=7.17.0
   • Resolve pillow to >=12.1.1

3. If pillow is not directly listed in pyproject.toml, add it explicitly as a dev dependency with pillow (>=12.1.1) to ensure the locked version is secure. Alternatively, if another dependency pulls it in transitively, update poetry.lock accordingly.

4. Open a pull request on the master branch with these changes and a clear description referencing Dependabot alerts Ignore nbconvert vulnerability since dev dependency and not yet fixed #32 and Bump urllib3 from 2.6.2 to 2.6.3 in the pip group across 1 directory #33.

The current pyproject.toml is at: https://github.com/Renumics/mesh2vec/blob/master/pyproject.toml
The current poetry.lock is at: https://github.com/Renumics/mesh2vec/blob/master/poetry.lock

This pull request was created from Copilot chat.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.