Fix security vulnerabilities in pypdf, urllib3, and wrapt (#1314)

* fix security vulnerabilities in pypdf, urllib3, and wrapt deps

- pypdf: bump minimum to >=6.6.2 (fixes infinite loop, decompression
  bomb, and malformed startxref CVEs)
- urllib3: remove <=1.26.20 upper bound to allow 2.6.3+ on Python 3.10+
  (fixes decompression bomb bypass and unbounded decompression chain CVEs)
- wrapt: remove <2.0.0 upper bound (not directly imported, avoids
  unnecessary resolver conflicts)
- Update lock files for pdf, aws, and main packages

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* bump versions: pdf 10.0.2, aws 7.0.2, main 31.1.1

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix CI: replace macos-13 runners and remove pip upper bound

- Replace macos-13 with macos-latest in all 12 workflow files
  (macos-13 runners are being deprecated by GitHub)
- Remove pip<26.0 upper bound from invocations/requirements.txt
  (pip 26.0 is pre-installed on Windows runners, and the <26.0
  constraint causes a self-downgrade failure)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix checkbox test for pypdf 6.6.2 name serialization change

pypdf 6.6.2 serializes checkbox NameObject values with quotes
(/'Yes' instead of /Yes). Add the new format to accepted values.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: mikahanninen

.github/workflows/assistant.yaml

@@ -58,13 +58,13 @@ jobs:
             os: ubuntu-latest
           - name: "macos-py39"
             python: "3.9"
-            os: macos-13
+            os: macos-latest
           - name: "macos-py310"
             python: "3.10"
-            os: macos-13
+            os: macos-latest
           - name: "macos-py311"
             python: "3.11"
-            os: macos-13
+            os: macos-latest
 
     env:
       INVOKE_IS_CI_CD: 1

.github/workflows/aws.yaml

@@ -58,13 +58,13 @@ jobs:
             os: ubuntu-latest
           - name: "macos-py39"
             python: "3.9"
-            os: macos-13
+            os: macos-latest
           - name: "macos-py310"
             python: "3.10"
-            os: macos-13
+            os: macos-latest
           - name: "macos-py311"
             python: "3.11"
-            os: macos-13
+            os: macos-latest
 
     steps:
     - uses: actions/checkout@v5

.github/workflows/core.yaml

@@ -58,13 +58,13 @@ jobs:
             os: ubuntu-latest
           - name: "macos-py39"
             python: "3.9"
-            os: macos-13
+            os: macos-latest
           - name: "macos-py310"
             python: "3.10"
-            os: macos-13
+            os: macos-latest
           - name: "macos-py311"
             python: "3.11"
-            os: macos-13
+            os: macos-latest
 
     env:
       INVOKE_IS_CI_CD: 1

.github/workflows/google.yaml

@@ -58,13 +58,13 @@ jobs:
             os: ubuntu-latest
           - name: "macos-py39"
             python: "3.9"
-            os: macos-13
+            os: macos-latest
           - name: "macos-py310"
             python: "3.10"
-            os: macos-13
+            os: macos-latest
           - name: "macos-py311"
             python: "3.11"
-            os: macos-13
+            os: macos-latest
 
     env:
       INVOKE_IS_CI_CD: 1

.github/workflows/hubspot.yaml

@@ -58,13 +58,13 @@ jobs:
             os: ubuntu-latest
           - name: "macos-py39"
             python: "3.9"
-            os: macos-13
+            os: macos-latest
           - name: "macos-py310"
             python: "3.10"
-            os: macos-13
+            os: macos-latest
           - name: "macos-py311"
             python: "3.11"
-            os: macos-13
+            os: macos-latest
 
     env:
       INVOKE_IS_CI_CD: 1

.github/workflows/main.yaml

@@ -59,13 +59,13 @@ jobs:
             os: ubuntu-latest
           - name: "macos-py39"
             python: "3.9"
-            os: macos-13
+            os: macos-latest
           - name: "macos-py310"
             python: "3.10"
-            os: macos-13
+            os: macos-latest
           - name: "macos-py311"
             python: "3.11"
-            os: macos-13
+            os: macos-latest
 
     env:
       SETUPTOOLS_USE_DISTUTILS: stdlib

.github/workflows/openai.yaml

@@ -58,13 +58,13 @@ jobs:
             os: ubuntu-latest
           - name: "macos-py39"
             python: "3.9"
-            os: macos-13
+            os: macos-latest
           - name: "macos-py310"
             python: "3.10"
-            os: macos-13
+            os: macos-latest
           - name: "macos-py311"
             python: "3.11"
-            os: macos-13
+            os: macos-latest
 
     env:
       INVOKE_IS_CI_CD: 1

.github/workflows/pdf.yaml

@@ -58,13 +58,13 @@ jobs:
             os: ubuntu-latest
           - name: "macos-py39"
             python: "3.9"
-            os: macos-13
+            os: macos-latest
           - name: "macos-py310"
             python: "3.10"
-            os: macos-13
+            os: macos-latest
           - name: "macos-py311"
             python: "3.11"
-            os: macos-13
+            os: macos-latest
 
     env:
       INVOKE_IS_CI_CD: 1

.github/workflows/pip.yaml

@@ -29,7 +29,7 @@ jobs:
         # adding macos and windows to the matrix adds a bunch of running and delay because of mac and windows
         # runners being slower to allocate
         include:
-          - os: macos-13
+          - os: macos-latest
             python-version: "3.10.16"
             pip-version: "24.2"
           - os: windows-latest

.github/workflows/recognition.yaml

@@ -58,13 +58,13 @@ jobs:
             os: ubuntu-latest
           - name: "macos-py39"
             python: "3.9"
-            os: macos-13
+            os: macos-latest
           - name: "macos-py310"
             python: "3.10"
-            os: macos-13
+            os: macos-latest
           - name: "macos-py311"
             python: "3.11"
-            os: macos-13
+            os: macos-latest
 
     env:
       INVOKE_IS_CI_CD: 1