ci: Address new CVEs from rc4

[thomasdhc]

Description

Usage

# Add snippet demonstrating usage

Checklist

• I am familiar with the Contributing Guide.
• New or Existing tests cover these changes.
• The documentation is up to date with these changes.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR addresses multiple security vulnerabilities by upgrading dependencies to patched versions.

Key Changes:

• Dockerfile: Added gnupg upgrade to address CVE-2025-68973 with proper cleanup commands (apt-get clean and removal of /var/lib/apt/lists/*)
• Python Dependencies: Updated minimum version constraints for four critical packages:
  • cryptography 46.0.3 → 46.0.5 (CVE GHSA-r6ph-v2qm-q3c2)
  • nbconvert 7.16.6 → 7.17.0 (CVE GHSA-xm59-rqc7-hhvf)
  • pillow 12.0.0 → 12.1.1 (CVE GHSA-cfh3-3jmp-rvhc)
  • protobuf 4.25.8 → 5.29.6 (CVE GHSA-8qvm-5x2c-j2w7)
• Lock File: Automatically regenerated to reflect new constraints with updated package hashes and wheel URLs

All changes are security-focused dependency version bumps following standard CVE remediation practices.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• All changes are straightforward security dependency upgrades following established CVE remediation patterns. The Dockerfile change properly upgrades gnupg with appropriate cleanup. The Python dependency constraints are minimal version bumps (patch/minor versions) that address specific CVEs. The lock file changes are automatic and correctly reflect the constraint updates with proper hashes.
• No files require special attention

Important Files Changed

Filename	Overview
docker/Dockerfile	Added gnupg upgrade to address CVE-2025-68973 with proper cleanup
pyproject.toml	Updated version constraints for cryptography, nbconvert, pillow, and protobuf to address multiple CVEs
uv.lock	Lock file automatically updated to reflect new dependency version constraints

[greptile-apps]

_{3 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Consider using apt-get install instead of apt install for consistency with the rest of the RUN command and better scripting compatibility.

Suggested change

	apt install -y --only-upgrade gnupg && \
	apt-get install -y --only-upgrade gnupg && \

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

[greptile-apps]

_{3 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[thomasdhc]

/ok to test 62b1c91

[greptile-apps]

_{3 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[ayushdg]

/ok to test d02fe8f