fix(deps): upgrade vulnerable transitive dependencies [security]

[lawrence-u10d]

Summary

Automated scan found CVEs in transitive dependencies locked in uv.lock files.
These packages were upgraded to patched versions.

Remediated vulnerabilities

Package	From	To	Severity	CVE
aiohttp	3.12.15	3.13.4	Low	CVE-2026-34514
aiohttp	3.12.15	3.13.4	Low	CVE-2026-34517
aiohttp	3.12.15	3.13.3	Low	CVE-2025-69226
aiohttp	3.12.15	3.13.4	Low	CVE-2026-34520
aiohttp	3.12.15	3.13.3	Low	CVE-2025-69224
aiohttp	3.12.15	3.13.3	Medium	CVE-2025-69228
aiohttp	3.12.15	3.13.3	High	CVE-2025-69223
aiohttp	3.12.15	3.13.4	Low	CVE-2026-34518
aiohttp	3.12.15	3.13.4	Medium	CVE-2026-34525
aiohttp	3.12.15	3.13.3	Low	CVE-2025-69230
aiohttp	3.12.15	3.13.3	Medium	CVE-2025-69229
aiohttp	3.12.15	3.13.4	Low	CVE-2026-34513
aiohttp	3.12.15	3.13.3	Medium	CVE-2025-69227
aiohttp	3.12.15	3.13.4	Medium	CVE-2026-34516
aiohttp	3.12.15	3.13.3	Low	CVE-2025-69225
aiohttp	3.12.15	3.13.4	Low	CVE-2026-34519
aiohttp	3.12.15	3.13.4	Medium	CVE-2026-34515
aiohttp	3.12.15	3.13.4	Medium	CVE-2026-22815
filelock	3.19.1	3.20.3	Medium	CVE-2026-22701
filelock	3.19.1	3.20.1	Medium	CVE-2025-68146
jupyterlab	4.4.7	4.4.8	Low	CVE-2025-59842
nbconvert	7.16.6	7.17.0	High	CVE-2025-53000
pip	25.2	25.3	Medium	CVE-2025-8869
pygments	2.19.2	2.20.0	Low	CVE-2026-4539
pypdf	6.0.0	6.6.2	Medium	CVE-2026-24688
pypdf	6.0.0	6.7.2	Low	CVE-2026-27628
pypdf	6.0.0	6.6.0	Low	CVE-2026-22691
pypdf	6.0.0	6.6.0	Low	CVE-2026-22690
pypdf	6.0.0	6.9.2	Medium	CVE-2026-33699
pypdf	6.0.0	6.7.1	Medium	CVE-2026-27024
pypdf	6.0.0	6.7.5	Medium	CVE-2026-28804
pypdf	6.0.0	6.7.1	Medium	CVE-2026-27026
pypdf	6.0.0	6.7.4	Medium	CVE-2026-28351
pypdf	6.0.0	6.8.0	Medium	CVE-2026-31826
pypdf	6.0.0	6.1.3	Medium	CVE-2025-62708
pypdf	6.0.0	6.4.0	Medium	CVE-2025-66019
pypdf	6.0.0	6.9.1	Medium	CVE-2026-33123
pypdf	6.0.0	6.1.3	Medium	CVE-2025-62707
pypdf	6.0.0	6.7.1	Medium	CVE-2026-27025
pypdf	6.0.0	6.7.3	Medium	CVE-2026-27888
python-multipart	0.0.20	0.0.22	High	CVE-2026-24486
requests	2.32.5	2.33.0	Medium	CVE-2026-25645
starlette	0.47.3	0.49.1	High	CVE-2025-62727
tornado	6.5.2	6.5.5	Medium	GHSA-78cv-mqj4-43f7
tornado	6.5.2	6.5.5	High	CVE-2026-31958
urllib3	2.5.0	2.6.0	High	CVE-2025-66471
urllib3	2.5.0	2.6.3	High	CVE-2026-21441
urllib3	2.5.0	2.6.0	High	CVE-2025-66418
virtualenv	20.34.0	20.36.1	Medium	CVE-2026-22702

Skipped (major version bump required)

Package	From	To	Severity	CVE	Reason
cryptography	45.0.7	46.0.6	Low	CVE-2026-34073	major bump
cryptography	45.0.7	46.0.5	High	CVE-2026-26007	major bump
pip	25.2	26.0	Low	CVE-2026-1703	major bump

These require a major version upgrade and should be planned manually.

What this PR does

1. Scans all uv.lock files with grype for known CVEs
2. Runs uv lock --upgrade-package <pkg> for each fixable vulnerability (skips major bumps)
3. Bumps component versions (patch) and updates CHANGELOGs via version-bump

Created by lockfile-security-scan.
Targets transitive dependencies that Renovate cannot reach.

---

Note

Low Risk
Low risk release metadata update: only pyproject.toml version and CHANGELOG.md entries change, with no runtime code modifications shown in this diff.

Overview
Prepares the 0.1.7 release by updating pyproject.toml from 0.1.6 to 0.1.7.

Adds a 0.1.7 Security entry to CHANGELOG.md noting upgraded vulnerable transitive dependencies.

^{Written by Cursor Bugbot for commit 27cb64d. This will update automatically on new commits. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​pip@​25.2 ⏵ 26.0.1	+1	+3

View full report

[lawrence-u10d]

Closing: still investigating Azure URL issue.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Version bump triggers unintended PyPI release of dev code

High Severity

Bumping version from 0.1.6 to 0.1.7 in pyproject.toml will trigger the release.yml workflow on merge, which automatically publishes to PyPI whenever it detects a version change on main. The 0.1.7-dev0 CHANGELOG entry indicates development work is still in progress and hasn't been formally released. This automated security-fix PR would inadvertently publish a new release containing unreleased dev changes.

Additional Locations (1)

• CHANGELOG.md#L1-L6