fix: resolve critical/high Dependabot security alerts (#4652)

Upgrade pillow 10.4.0 → 12.1.1 (out-of-bounds write on PSD images), langchain-core 0.3.76 → 0.3.83 (template injection), and urllib3 2.6.1 → 2.6.3 (decompression-bomb bypass on redirects). Bump docling ~=2.63.0 → ~=2.75.0 for pillow 12 compat, and add uv overrides for pillow/langchain-core to unblock transitive pins from fastembed and langchain-apify.
2026-05-03 00:02:36 +00:00 · 2026-02-28 13:04:35 -06:00
parent 3899910aa9
commit 6c8c6c8e12
4 changed files with 110 additions and 88 deletions
--- a/lib/crewai/pyproject.toml
+++ b/lib/crewai/pyproject.toml
@@ -66,7 +66,7 @@ openpyxl = [
 ]
 mem0 = ["mem0ai~=0.1.94"]
 docling = [
-    "docling~=2.63.0",
+    "docling~=2.75.0",
 ]
 qdrant = [
    "qdrant-client[fastembed]~=1.14.3",