Release 0.7.5 to unblock pillow 12.x (CVE-2026-25990)

[thomasboer-sketch]

Summary

The pillow constraint on main has already been relaxed to >=10.3.0,<13.0.0, but the latest PyPI release (v0.7.4) still pins pillow<12.0. This forces downstream consumers onto Pillow 11.x, which is affected by CVE-2026-25990 (heap-based buffer overflow in PSD loading).

Could you cut a 0.7.5 patch release from main? The fix is already there — it just needs a release.

Context

• CVE: CVE-2026-25990 — fixed in Pillow 12.1.1
• Current PyPI (v0.7.4): pillow>=10.3.0,<12.0.0 — blocks Pillow 12.x
• Current main: pillow>=10.3.0,<13.0.0 — allows Pillow 12.x ✅
• Related PR: allow pillow 12 #599 (still open, but the fix landed on main separately)

This is blocking pip-audit / security scans for any project that depends on fastembed.

[thomasboer-sketch]

Friendly bump — PR #611 has since merged (Mar 12), which uncaps pillow entirely. The fix is on main, just waiting on a release. Any timeline for 0.7.5? Thanks!

[IMAGINstudio]

Friendly bump — we're maintaining a temporary fork (fastembed-imagin) that only relaxes the pillow constraint to <13.0. We'd love to drop it once 0.7.5 ships. Any timeline on the next release? Thanks!

[SamOyeAH]

Friendly bump — PR #611 has been merged since March 12, which fully removes the cap on pillow. The fix is on the main branch, just waiting for a release. Is there any timeframe for 0.7.5? Thanks!

[joein]

Hey @SamOyeAH @IMAGINstudio @thomasboer-sketch

Fastembed 0.8.0 has been released a couple of days ago