cp: ci: Address aiohttp and urllib3 cve (1379) into r1.1.0

[pablo-garay]

beep boop [🤖]: Hi @thomasdhc 👋,

we've cherry picked #1379 into  for you! 🚀

Please review and approve this cherry pick by your convenience!

[pablo-garay]

/ok to test bd983c6

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[greptile-apps]

Greptile Summary

This PR cherry-picks security fixes from #1379 into the r1.1.0 release branch, addressing CVE vulnerabilities in two dependencies:

• aiohttp: Bumped from 3.13.2 → 3.13.3 to address CVE GHSA-6mq8-rvhq-8wgg
• urllib3: Bumped from 2.6.2 → 2.6.3 to address CVE GHSA-38jv-5279-wg99

The changes add minimum version constraints in pyproject.toml and update the lock file accordingly. This is a straightforward security patch with no functional changes to application code.

Minor issue found:

• Comment formatting inconsistency on line 14 of pyproject.toml (missing space after #)

Confidence Score: 5/5

• This PR is safe to merge with minimal risk - it's a straightforward security patch
• The changes are limited to dependency version bumps that address known CVE vulnerabilities. The lock file updates are automatically generated and consistent with the version constraints. No application code changes, only a minor style issue in comment formatting.
• No files require special attention

Important Files Changed

Filename	Overview
pyproject.toml	Added version constraints for aiohttp>=3.13.3 and urllib3>=2.6.3 to address CVE vulnerabilities. One minor style inconsistency in comment formatting.
uv.lock	Lock file updated correctly to reflect aiohttp 3.13.2→3.13.3 and urllib3 2.6.2→2.6.3 version bumps with updated hashes and URLs.

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant PyProj as pyproject.toml
    participant UV as UV Package Manager
    participant Lock as uv.lock
    participant PyPI as PyPI Registry

    Dev->>PyProj: Add constraint-dependencies
    Note over PyProj: aiohttp>=3.13.3<br/>urllib3>=2.6.3
    
    Dev->>UV: Run uv lock
    UV->>PyProj: Read constraints
    UV->>PyPI: Query aiohttp versions
    PyPI-->>UV: Return 3.13.3 (latest matching)
    UV->>PyPI: Query urllib3 versions
    PyPI-->>UV: Return 2.6.3 (latest matching)
    
    UV->>Lock: Update package versions
    Note over Lock: aiohttp: 3.13.2 → 3.13.3<br/>urllib3: 2.6.2 → 2.6.3
    UV->>Lock: Update hashes & URLs
    
    Lock-->>Dev: Dependencies locked
    Note over Dev,Lock: CVE vulnerabilities patched

Loading

[greptile-apps]

Additional Comments (1)

1. pyproject.toml, line 14 (link)

   style: Missing space after # in comment - inconsistent with other CVE comments on lines 9-13

   _{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}