ci: Address aiohttp and urllib3 cve

[thomasdhc]

Description

Usage

# Add snippet demonstrating usage

Checklist

• I am familiar with the Contributing Guide.
• New or Existing tests cover these changes.
• The documentation is up to date with these changes.

[greptile-apps]

Greptile Summary

This PR updates security constraints for aiohttp and urllib3 to address known CVEs:

• aiohttp updated to >=3.13.3 (from 3.13.2) to address CVE GHSA-6mq8-rvhq-8wgg
• urllib3 updated to >=2.6.3 (from 2.6.2) to address CVE GHSA-38jv-5279-wg99

The changes are minimal and focused only on dependency version constraints. The lock file (uv.lock) has been properly regenerated to reflect these constraints. No breaking API changes are expected as these are patch-level updates.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• These are patch-level security updates addressing known CVEs with no API breaking changes. The changes are limited to version constraints and lock file updates.
• No files require special attention

Important Files Changed

Filename	Overview
pyproject.toml	Added version constraints for aiohttp>=3.13.3 and urllib3>=2.6.3 to address CVEs
uv.lock	Updated lock file with aiohttp 3.13.2→3.13.3 and urllib3 2.6.2→2.6.3 to resolve security vulnerabilities

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant UV as UV Package Manager
    participant PyPI as PyPI Registry
    participant Deps as Dependencies
    
    Dev->>UV: Update constraint-dependencies in pyproject.toml
    Note over Dev,UV: Add aiohttp>=3.13.3<br/>Add urllib3>=2.6.3
    
    Dev->>UV: Run uv lock
    UV->>PyPI: Resolve aiohttp>=3.13.3
    PyPI-->>UV: Return aiohttp 3.13.3
    UV->>PyPI: Resolve urllib3>=2.6.3
    PyPI-->>UV: Return urllib3 2.6.3
    
    UV->>Deps: Check dependency tree
    Deps-->>UV: Validate compatibility
    
    UV->>UV: Generate uv.lock
    Note over UV: Update manifest constraints<br/>Update package versions<br/>Update wheel checksums
    
    UV-->>Dev: Lock file updated
    Note over Dev: CVE GHSA-6mq8-rvhq-8wgg addressed<br/>CVE GHSA-38jv-5279-wg99 addressed

Loading

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

style: Missing space after # in comment

Suggested change

	"urllib3>=2.6.3", #Address CVE GHSA-38jv-5279-wg99
	"urllib3>=2.6.3", # Address CVE GHSA-38jv-5279-wg99

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}