# rembg is pinned to 2.0.69. The patched 2.0.75 (GHSA: server SSRF/CORS +
# custom-model path traversal) pulls numpy>=2.3, scipy>=1.16 and
# scikit-image>=0.26 -- a numpy 2.x closure that is incompatible with this
# numpy==1.26.4-locked stack (realesrgan 0.3.0 and codeformer-pip 0.0.4 break
# on numpy 2.x). Both advisories are unreachable here: rembg is used purely as
# a library (we never run `rembg s`), and new_session() only ever receives
# allowlisted model names (remove_bg.py ALLOWED_MODELS), never user paths.
rembg==2.0.69
realesrgan==0.3.0
paddleocr==2.9.1
paddlepaddle-gpu==3.0.0
mediapipe>=0.10.21
onnxruntime-gpu==1.20.1
numpy==1.26.4
Pillow==12.2.0
opencv-python-headless==4.10.0.84
codeformer-pip==0.0.4

# OpenTelemetry: enables the innermost sidecar.<script> span when
# OTEL_EXPORTER_OTLP_ENDPOINT is set (enterprise distributed_tracing). Pure-Python,
# no numpy/scipy deps, so safe for the numpy==1.26.4-locked stack.
opentelemetry-api==1.27.0
opentelemetry-sdk==1.27.0
opentelemetry-exporter-otlp-proto-http==1.27.0
