fix: bump pytest, aiohttp, and cryptography for security CVEs (#535)

* fix: bump pytest, aiohttp, and cryptography for security CVEs

- pytest 9.0.2 → 9.0.3 (CVE-2025-71176, High — RCE via symlink TOCTOU)
- aiohttp 3.13.3 → 3.13.5 (10 Medium CVEs — DoS, CRLF injection, credential theft, request smuggling)
- cryptography 46.0.6 → 46.0.7 (CVE-2026-39892, Medium — buffer overflow on Python >3.11)

Add constraint-dependencies for transitive deps (aiohttp, cryptography) to
enforce minimum safe versions across both workspace and e2e lockfiles.

* style: fix indentation in tests_e2e/pyproject.toml

Match the 2-space indentation used throughout the file.

Author: johnnygreco

pyproject.toml

@@ -31,12 +31,19 @@ members = [
 # IMPORTANT: This root is NOT a package. It only defines workspace configuration.
 package = false
 required-version = ">=0.7.10"
+# Minimum versions for transitive dependencies with known security vulnerabilities.
+# aiohttp 3.13.3: CVE-2026-22815, CVE-2026-34513 through CVE-2026-34525 (multiple DoS, CRLF injection, credential theft)
+# cryptography 46.0.6: CVE-2026-39892 (buffer overflow on Python >3.11)
+constraint-dependencies = [
+    "aiohttp>=3.13.5",
+    "cryptography>=46.0.7",
+]
 
 [dependency-groups]
 dev = [
     "jsonpath-ng>=1.5.3,<2",
     "pre-commit>=4.0.0,<5",
-    "pytest>=9.0.2,<10",
+    "pytest>=9.0.3,<10",
     "pytest-asyncio>=1.3.0,<2",
     "pytest-cov>=7.0.0,<8",
     "pytest-env>=1.2.0,<2",

tests_e2e/pyproject.toml

@@ -12,7 +12,7 @@ data-designer = { path = "../packages/data-designer" }
 
 [dependency-groups]
 dev = [
-  "pytest>=9.0.2,<10",
+  "pytest>=9.0.3,<10",
 ]
 
 [project.entry-points."data_designer.plugins"]
@@ -31,6 +31,11 @@ env = [
 [tool.uv]
 package = true
 required-version = ">=0.7.10"
+# Minimum versions for transitive dependencies with known security vulnerabilities.
+constraint-dependencies = [
+  "aiohttp>=3.13.5",
+  "cryptography>=46.0.7",
+]
 
 [build-system]
 requires = ["hatchling"]