pip-audit CI fails for the powerpoint skill and will fail for jira and gitlab once their pytest vulnerability is detected. Dependabot PR #1355 bumps pillow only in the powerpoint skill but misses the pytest CVE affecting all three skills. Fixing this issue will close the above PR and fix remaining items.

CVE-2026-40192 — Pillow decompression bomb via FITS images; unbounded memory consumption leads to OOM crash.
CVE-2025-71176 — pytest /tmp/pytest-of-{user} directory predictability allows local privilege escalation.

Implementation Plan

Phase 1: Update Python dependencies

powerpoint skill (.github/skills/experimental/powerpoint/)

uv lock --upgrade-package pillow --upgrade-package pytest

• pillow: 12.1.1 → 12.2.0
• pytest: 9.0.2 → 9.0.3

jira skill (.github/skills/jira/jira/)

uv lock --upgrade-package pytest

• pytest: 9.0.2 → 9.0.3

gitlab skill (.github/skills/gitlab/gitlab/)

uv lock --upgrade-package pytest

• pytest: 9.0.2 → 9.0.3

Phase 2: Regenerate plugin outputs

npm run plugin:generate

Phase 3: Validation

npm run validate:skills
npm run lint:all

Files Affected

• .github/skills/experimental/powerpoint/uv.lock — pillow + pytest
• .github/skills/jira/jira/uv.lock — pytest
• .github/skills/gitlab/gitlab/uv.lock — pytest
• plugins/*/skills/experimental/powerpoint/uv.lock — mirror
• plugins/*/skills/jira/jira/uv.lock — mirror (if present)
• plugins/*/skills/gitlab/gitlab/uv.lock — mirror (if present)