Relax Pillow version constraint to allow β₯12.1.1 (security fix for CVE-2026-25990)Β #831
Description
Hi SuperAnnotate team π
We noticed that the current SDK dependency pins Pillow to:
pillow >= 9.5, ~=10.0
However, Pillow versions below 12.1.1 are affected by CVE-2026-25990.
Because of this, we are required to upgrade to Pillow β₯12.1.1 in our environment.
At the moment, the current version constraint prevents us from doing so.
Could you please clarify:
- Are there any known compatibility issues with Pillow 12.x?
- Are there plans to widen the dependency constraint to allow Pillow β₯12.1.1?
- Would you consider relaxing the bound (e.g.,
pillow>=9.5,<13) if compatibility allows?
This is currently blocking us from addressing a security vulnerability, so an update would be greatly appreciated.
Thank you!