Pin security floors for lxml, urllib3, requests, pygments

Resolved five open Dependabot advisories by adding minimum-version
constraints to pyproject.toml so Poetry resolves transitive deps to
patched releases:

- lxml >=6.1.0 (XXE in iterparse default configuration)
- urllib3 >=2.7.0 (sensitive-header forwarding on proxied redirects;
  decompression-bomb safeguard bypass)
- requests >=2.33.0 (insecure temp file reuse in extract_zipped_paths)
- pygments >=2.20.0 (ReDoS in GUID regex matching)

Regenerated poetry.lock; only the four flagged packages changed.

Author: jvanderaa

changes/415.security

@@ -0,0 +1 @@
+Bumped `lxml` (>=6.1.0), `urllib3` (>=2.7.0), `requests` (>=2.33.0), and `pygments` (>=2.20.0) to address open Dependabot advisories (XXE in iterparse, sensitive-header forwarding on proxied redirects, decompression-bomb safeguard bypass, insecure temp file reuse, ReDoS).