fix(deps): upgrade vulnerable transitive dependencies [security]

[lawrence-u10d]

Summary

Automated scan found CVEs in transitive dependencies locked in uv.lock files.
These packages were upgraded to patched versions.

Remediated vulnerabilities

Package	From	To	Severity	CVE
aiohttp	3.12.15	3.13.4	Low	CVE-2026-34514
aiohttp	3.12.15	3.13.4	Low	CVE-2026-34517
aiohttp	3.12.15	3.13.3	Low	CVE-2025-69226
aiohttp	3.12.15	3.13.4	Low	CVE-2026-34520
aiohttp	3.12.15	3.13.3	Low	CVE-2025-69224
aiohttp	3.12.15	3.13.3	Medium	CVE-2025-69228
aiohttp	3.12.15	3.13.3	High	CVE-2025-69223
aiohttp	3.12.15	3.13.4	Low	CVE-2026-34518
aiohttp	3.12.15	3.13.4	Medium	CVE-2026-34525
aiohttp	3.12.15	3.13.3	Low	CVE-2025-69230
aiohttp	3.12.15	3.13.3	Medium	CVE-2025-69229
aiohttp	3.12.15	3.13.4	Low	CVE-2026-34513
aiohttp	3.12.15	3.13.3	Medium	CVE-2025-69227
aiohttp	3.12.15	3.13.4	Medium	CVE-2026-34516
aiohttp	3.12.15	3.13.3	Low	CVE-2025-69225
aiohttp	3.12.15	3.13.4	Low	CVE-2026-34519
aiohttp	3.12.15	3.13.4	Medium	CVE-2026-34515
aiohttp	3.12.15	3.13.4	Medium	CVE-2026-22815
filelock	3.19.1	3.20.3	Medium	CVE-2026-22701
filelock	3.19.1	3.20.1	Medium	CVE-2025-68146
jupyterlab	4.4.7	4.4.8	Low	CVE-2025-59842
nbconvert	7.16.6	7.17.0	High	CVE-2025-53000
pip	25.2	25.3	Medium	CVE-2025-8869
pygments	2.19.2	2.20.0	Low	CVE-2026-4539
pypdf	6.0.0	6.6.2	Medium	CVE-2026-24688
pypdf	6.0.0	6.7.2	Low	CVE-2026-27628
pypdf	6.0.0	6.6.0	Low	CVE-2026-22691
pypdf	6.0.0	6.6.0	Low	CVE-2026-22690
pypdf	6.0.0	6.9.2	Medium	CVE-2026-33699
pypdf	6.0.0	6.7.1	Medium	CVE-2026-27024
pypdf	6.0.0	6.7.5	Medium	CVE-2026-28804
pypdf	6.0.0	6.7.1	Medium	CVE-2026-27026
pypdf	6.0.0	6.7.4	Medium	CVE-2026-28351
pypdf	6.0.0	6.8.0	Medium	CVE-2026-31826
pypdf	6.0.0	6.1.3	Medium	CVE-2025-62708
pypdf	6.0.0	6.4.0	Medium	CVE-2025-66019
pypdf	6.0.0	6.9.1	Medium	CVE-2026-33123
pypdf	6.0.0	6.1.3	Medium	CVE-2025-62707
pypdf	6.0.0	6.7.1	Medium	CVE-2026-27025
pypdf	6.0.0	6.7.3	Medium	CVE-2026-27888
python-multipart	0.0.20	0.0.22	High	CVE-2026-24486
requests	2.32.5	2.33.0	Medium	CVE-2026-25645
starlette	0.47.3	0.49.1	High	CVE-2025-62727
tornado	6.5.2	6.5.5	Medium	GHSA-78cv-mqj4-43f7
tornado	6.5.2	6.5.5	High	CVE-2026-31958
urllib3	2.5.0	2.6.0	High	CVE-2025-66471
urllib3	2.5.0	2.6.3	High	CVE-2026-21441
urllib3	2.5.0	2.6.0	High	CVE-2025-66418
virtualenv	20.34.0	20.36.1	Medium	CVE-2026-22702

Skipped (major version bump required)

Package	From	To	Severity	CVE	Reason
cryptography	45.0.7	46.0.6	Low	CVE-2026-34073	major bump
cryptography	45.0.7	46.0.5	High	CVE-2026-26007	major bump
pip	25.2	26.0	Low	CVE-2026-1703	major bump

These require a major version upgrade and should be planned manually.

What this PR does

1. Scans all uv.lock files with grype for known CVEs
2. Runs uv lock --upgrade-package <pkg> for each fixable vulnerability (skips major bumps)
3. Bumps component versions (patch) and updates CHANGELOGs via version-bump

Created by lockfile-security-scan.
Targets transitive dependencies that Renovate cannot reach.

---

Note

Low Risk
Low risk: only a patch version bump and changelog entry were added; functional code paths are unchanged. Any risk is limited to potential runtime differences from updated transitive dependency versions once lockfiles are regenerated/released.

Overview
Bumps the package release version to 0.1.7 and adds a 0.1.7 changelog entry documenting a security-driven upgrade of vulnerable transitive dependencies.

^{Written by Cursor Bugbot for commit b851128. This will update automatically on new commits. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​pip@​25.2 ⏵ 26.0.1	+1	+3

View full report

[lawrence-u10d]

Closing: lockfile was rewritten with private index URLs. Will re-run with fix.