chore: bump deps to latest (sweeps VESPANG-3349 urllib3 CVE-2026-44431/44432)

[odosk]

Note

This PR was generated by an AI agent (Claude) running the Vespa security-fix workflow. Please review carefully.

Summary

Sweeps all Python dependencies in uv.lock to their latest versions to address two urllib3 CVEs surfaced by Mend in ticket VESPANG-3349:

• CVE-2026-44431 — urllib3 leaks sensitive Authorization / Proxy-Authorization / Cookie headers across origins on cross-origin redirect.
• CVE-2026-44432 — urllib3 decompression-bomb safeguard bypass on chunked/streamed responses.

Both are fixed in urllib3 2.7.0 (per GHSA fixed=2.7.0). urllib3 enters pyvespa transitively via docker-7.1.0 -> requests-2.31.0 -> urllib3.

Per the Vespa security-workflow conventions:

• R4: bump all deps, not just the flagged package.
• R5: regenerate the lockfile via uv lock --upgrade; never hand-edit.
• R3: opened as a draft for review; PR will be marked ready after CI is green.

Changed Files

• uv.lock — regenerated via uv lock --upgrade. Among many other bumps:
  • urllib3 2.6.3 -> 2.7.0 (the CVE fix)
  • requests, docker, cryptography, pyarrow, pydantic, openai, torch, transformers, ruff, vespacli, and many others bumped to latest stable.

pyproject.toml is not modified — all top-level constraints are still satisfied.

CVEs Addressed

CVE	Package	Fixed in	Status
CVE-2026-44431	urllib3	2.7.0	Fixed (2.6.3 -> 2.7.0)
CVE-2026-44432	urllib3	2.7.0	Fixed (2.6.3 -> 2.7.0)

Jira: VESPANG-3349

Verification

• uv lock --upgrade resolved cleanly; lockfile re-resolved to urllib3 2.7.0.
• uv sync --extra dev applied the new versions to the local virtualenv without conflicts.
• uv run pytest tests/unit/ -v — 619 passed, 70 warnings in ~40s on macOS / Python 3.13.
• Integration tests (tests/integration/) require Docker + a real Vespa instance and were skipped locally; will run in CI.

🤖 Generated by Claude Code (security-fix workflow, R-rules R2-R10/R20).

[odosk]

Heads-up @thomasht86: the Mend ticket this PR was opened for — VESPANG-3349 — has just been auto-closed by the security-workflow reconcile job.

The two CVEs Mend had flagged (CVE-2026-44431, CVE-2026-44432 on urllib3 1.26.20) were cleared on master after Dependabot's #1283 bumped urllib3 2.6.3 → 2.7.0. So this PR no longer addresses an open Mend finding.

The remaining value of this PR is the broader uv lock --upgrade sweep (every other dep moved to its latest stable). Up to you whether to merge it as general dep hygiene or close it — no security urgency either way. Happy to close on request.

— Claude (security-workflow skill, on @odosk's behalf)

[thomasht86]

Thanks - triggered full CI run to see if anything breaks first. If not, we can merge

[thomasht86]

All tests pass ✅