chore(deps): tighten black/pytest constraints to Dependabot-fixed versions (refs #144) (#151)

Issue: ``pyproject.toml`` carried ``black = "^26.3"`` and
``pytest = "^9.0"`` after the Dependabot clear PRs (#122, #123).
The lockfile is on patched versions (``black 26.5.x``,
``pytest 9.0.3``), so today's installs are safe — but the
constraint spec admits the vulnerable point releases. A fresh
``poetry lock --update`` on a future contributor's machine could
resolve back to ``black 26.3.0`` (vulnerable to CVE-2026-32274,
arbitrary file write via cache-file name) or ``pytest 9.0.0–9.0.2``
(vulnerable to CVE-2025-71176, unsafe tmpdir symlink handling).

Tighten to ``^26.3.1`` and ``^9.0.3`` — the Dependabot-fixed
minimums — so Poetry can never resolve to a vulnerable revision.
Lockfile stays unchanged (the constraints are subsets of what's
already pinned).

Tracked under issue #144 "Post-public-flip hardening tracker".
Closes the constraint-tightening line item; the rest of the tracker
(branch protection, CodeQL, pre-commit activation, CoC, PAT
rotation, issue templates) is separate work.

Tier 5 — touches ``pyproject.toml`` ``[tool.poetry.group.dev.dependencies]``.
Human merge required.

Co-authored-by: Martin Castro Laminrs <mcastro@laminr.ai>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: 3 people

pyproject.toml

@@ -44,12 +44,15 @@ python = "^3.10"
 django = ">=5.0,<7.0"
 
 [tool.poetry.group.dev.dependencies]
-# Dependabot #5: pytest's tmpdir handled symlinks unsafely. The
-# advisory's first-patched version is 9.0.3; pytest 9 is a clean
-# major bump for our use (we don't pin any pre-9 internals). We
-# also bumped pytest-django + pytest-cov to releases that declare
-# pytest 9 compatibility.
-pytest = "^9.0"
+# Dependabot #5: pytest's tmpdir handled symlinks unsafely
+# (CVE-2025-71176). The advisory's first-patched version is 9.0.3;
+# we pin to that minimum so ``poetry lock --update`` cannot resolve
+# back to the vulnerable 9.0.0–9.0.2 series even though the lockfile
+# is already on 9.0.3. ``pytest 9`` is a clean major bump for our use
+# (no pre-9 internals are pinned). ``pytest-django`` and
+# ``pytest-cov`` were bumped to releases that declare pytest 9
+# compatibility at the same time.
+pytest = "^9.0.3"
 pytest-django = "^4.8"
 pytest-cov = "^5.0"
 ruff = "^0.6"
@@ -58,10 +61,11 @@ django-stubs = { version = "^5.0", extras = ["compatible-mypy"] }
 bandit = "^1.7"
 pip-audit = "^2.7"
 # Dependabot #4: black wrote intermediate cache files with
-# unsanitized names — arbitrary-file-write. The advisory's
-# first-patched version is 26.3.1; we move to ^26.3 (the new
-# major series) to clear the alert.
-black = "^26.3"
+# unsanitized names — arbitrary-file-write (CVE-2026-32274). The
+# advisory's first-patched version is 26.3.1; we pin to that minimum
+# so ``poetry lock --update`` cannot resolve back to the vulnerable
+# 26.3.0 even though the lockfile is already on 26.5.x.
+black = "^26.3.1"
 isort = "^5.13"
 flake8 = "^7.1"
 Flake8-pyproject = "^1.2"