[Bug]: Security issue in pillow dep

[pcorpet]

What happened?

The latest version of fastembed relies on pillow < 12.0 which exposes a vulnerability.
See GHSA-cfh3-3jmp-rvhc

Please update this library so that it can work with a patched version

What is the expected behaviour?

No response

A minimal reproducible example

No response

What Python version are you on? e.g. python --version

Python3.13

FastEmbed version

v0.7.4

What os are you seeing the problem on?

No response

Relevant stack traces and/or logs

[thomasboer-sketch]

+1 — this is blocking our publish pipeline as well. pip-audit flags pillow 11.3.0 for CVE-2026-25990 (fixed in 12.1.1), and fastembed 0.7.4 pins pillow<12.0.

Note that the main branch still has the <12.0 upper bound too, so a release from current main wouldn't fix it.

Happy to open a PR bumping the constraint if that helps.

[patricklewis]

@thomasboer-sketch see #599 for a PR to allow Pillow 12

[terencehonles]

my PR was superseded by #611, but it still needs to be released

[thephfernandes]

@tbung any updates on the release?