upgrade Python dependencies to fix security vulnerabilities

Resolves 18 of 20 known CVEs across main and dev dependencies.
Remaining 2 (nltk GHSA-rf74-v2fm-23pw, CVE-2026-33230) have no fix available.
Fix tox smoke test extras configuration.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: voj

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## [Unreleased] 2026-03-19
+### Changed
+ - upgrade Python dependencies to fix 18 of 20 known vulnerabilities
+ - notable upgrades: flask 3.1.3, werkzeug 3.1.6, urllib3 2.6.3, geopandas 1.1.3, pillow 12.1.1, black 26.3.1, cryptography 46.0.5, authlib 1.6.9, nltk 3.9.3, deepdiff 8.6.2
+ - fix tox smoke test extras configuration
+
 ## [0.9.2] 2025-10-15
 ### Changed
  - migrate to serverless 4