chore(deps): bump Python deps to resolve security advisories (#1440)

Resolves 33 of 35 known CVEs reported by pip-audit by bumping direct and
transitive dependencies. Two residual issues remain: pytest 8.x (local
UNIX tmpdir CVE; bumping cascades to pytest-asyncio 1.x major API break)
and diskcache 5.6.3 (no upstream fix; pulled by outlines under the
transformers/huggingface extras only, local write-access exploit only).

Direct bumps in pyproject.toml:
- cryptography  >=46.0.5  -> >=46.0.7
- langchain-core >=1.2.15 -> >=1.2.28
- langsmith     >=0.7.6   -> >=0.7.31
- litellm       ^1.80.11  -> ^1.83.14   (drags in fixed aiohttp + python-dotenv)
- requests      ^2.32     -> >=2.33.0
- pillow        >=12.1.1  -> >=12.2.0
- pypdf         >=6.9.1   -> >=6.10.2
- transformers  >=4.49    -> >=5.0.0    (also drops the darwin x86_64 <=4.51.3 cap)
- peft          ^0.17.1   -> ^0.19.1    (required for transformers 5.x compat)

Transitive bumps via poetry update: aiohttp 3.13.4, authlib 1.6.11,
langchain-text-splitters 1.1.2, lxml 6.1.0, pygments 2.20.0,
python-dotenv 1.2.2, python-multipart 0.0.26.

Code adjustments forced by the upgrade:
- a2a/serve/server.py: starlette 1.0 removed Starlette.add_event_handler;
  switched the health endpoint readiness tracking to a lifespan context
  manager assigned via app.router.lifespan_context.
- transformers/backend/chat.py: transformers 5.x retyped
  AutoTokenizer.from_pretrained as TokenizersBackend | None and broadened
  apply_chat_template/decode return types; added casts so type checks pass.

Signed-off-by: Tomáš Dvořák <toomas2d@gmail.com>

Author: Tomas2D

python/beeai_framework/adapters/a2a/serve/server.py

@@ -4,7 +4,7 @@
 import asyncio
 import contextlib
 import signal
-from collections.abc import Sequence
+from collections.abc import AsyncIterator, Sequence
 from typing import Any, Literal, Self
 
 import uvicorn
@@ -149,19 +149,21 @@ def serve(self) -> None:
     def _add_health_endpoint(self, app: Starlette) -> None:
         """Add health endpoint to the Starlette app."""
 
-        async def on_startup() -> None:
-            self._ready = True
-
-        async def on_shutdown() -> None:
-            self._ready = False
-
         async def health_endpoint(request: Request) -> Response:
             content = "ok" if self._ready else "not ready"
             status = 200 if self._ready else 503
             return PlainTextResponse(content, status_code=status)
 
-        app.add_event_handler("startup", on_startup)
-        app.add_event_handler("shutdown", on_shutdown)
+        # Starlette 1.0 removed add_event_handler — swap in a lifespan context manager instead.
+        @contextlib.asynccontextmanager
+        async def lifespan(_app: Any) -> AsyncIterator[None]:
+            self._ready = True
+            try:
+                yield
+            finally:
+                self._ready = False
+
+        app.router.lifespan_context = lifespan
         app.routes.append(Route("/health", endpoint=health_endpoint))
 
     @override

python/beeai_framework/adapters/transformers/backend/chat.py

@@ -4,15 +4,22 @@
 import asyncio
 import os
 from collections.abc import AsyncGenerator
-from typing import Any, Unpack
+from typing import Any, Unpack, cast
 
 import outlines
 import torch
 from outlines.inputs import Chat
 from outlines.types import JsonSchema
 from peft import PeftModel
 from pydantic import BaseModel
-from transformers import AutoModelForCausalLM, AutoTokenizer, StoppingCriteria, TextIteratorStreamer, set_seed
+from transformers import (
+    AutoModelForCausalLM,
+    AutoTokenizer,
+    PreTrainedTokenizerBase,
+    StoppingCriteria,
+    TextIteratorStreamer,
+    set_seed,
+)
 
 from beeai_framework.adapters.litellm.utils import to_strict_json_schema
 from beeai_framework.adapters.transformers.backend._utils import (
@@ -71,7 +78,12 @@ def __init__(
         self._model_id = (
             model_id if model_id else os.getenv("TRANSFORMERS_CHAT_MODEL", "ibm-granite/granite-3.3-8b-instruct")
         )
-        self.tokenizer = AutoTokenizer.from_pretrained(model_id, token=hf_token, **(tokenizer_kwargs or {}))  # type: ignore
+        # AutoTokenizer.from_pretrained is typed as TokenizersBackend | None in transformers 5.x,
+        # but at runtime returns a PreTrainedTokenizerBase subclass.
+        self.tokenizer = cast(
+            PreTrainedTokenizerBase,
+            AutoTokenizer.from_pretrained(model_id, token=hf_token, **(tokenizer_kwargs or {})),
+        )
         model_base = AutoModelForCausalLM.from_pretrained(
             self._model_id,
             device_map="auto",
@@ -252,7 +264,9 @@ async def _get_model_output(
         self, input: ChatModelInput, streamer: TextIteratorStreamer | None
     ) -> tuple[str, Any | None]:
         llm_input = self._transform_input(input)
-        inputs = self.tokenizer.apply_chat_template(
+        # apply_chat_template with return_dict=True returns a BatchEncoding (dict-like) at runtime,
+        # but the static type covers many shapes (list, str, dict). Cast for indexing.
+        inputs: Any = self.tokenizer.apply_chat_template(
             llm_input["messages"],
             tools=llm_input["tools"],
             tokenize=True,
@@ -305,7 +319,8 @@ async def _get_model_output(
                 **kwargs,
             )
             generated_tokens = model_output[0, prompt_tokens:]
-            generated_text = self.tokenizer.decode(generated_tokens, skip_special_tokens=True)
+            # tokenizer.decode is typed as list[str] | str but returns str when given a 1-D tensor.
+            generated_text = cast(str, self.tokenizer.decode(generated_tokens, skip_special_tokens=True))
             return generated_text, None
 
     def _format_tool_model(self, model: type[BaseModel]) -> dict[str, Any]: