fix: upgrade xgrammar to 0.1.32 for CVE-2026-25048

[kendrickb-nvidia]

Summary

• Override vllm's transitive pin on xgrammar==0.1.29 to >=0.1.32,<1.0.0 to remediate CVE-2026-25048 (GHSA-7rgv-gqhr-fxg3)
• Matches the fix vllm adopted upstream in [Build] Upgrade xgrammar to get a security fix vllm-project/vllm#36168
• xgrammar 0.1.32 also dropped its macOS-only mlx-lm dependency, so mlx, mlx-lm, and mlx-metal are removed from the lockfile

Test plan

• uv lock resolves cleanly (xgrammar 0.1.29 → 0.1.32)
• make bootstrap-nss cuda installs successfully
• make test -- 802 passed, 2 skipped, 0 failures
• make test-e2e run locally
  • tests/e2e/test_safe_synthesizer.py::test_train_and_generate_defaults PASSED
  • tests/e2e/test_safe_synthesizer.py::test_train_and_generate_dp PASSED

Made with Cursor

[kendrickb-nvidia]

/sync

[Copilot]

Pull request overview

This PR remediates CVE-2026-25048 by overriding vLLM’s transitive pin on xgrammar==0.1.29 to allow xgrammar>=0.1.32,<1.0.0, and refreshes the lockfile accordingly (including dropping now-unneeded macOS-only MLX dependencies).

Changes:

• Add a tool.uv.override-dependencies entry to force xgrammar>=0.1.32,<1.0.0.
• Update uv.lock to resolve xgrammar to 0.1.32.
• Remove mlx, mlx-lm, and mlx-metal entries from the lockfile due to xgrammar dropping the transitive dependency.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
pyproject.toml	Adds an explicit uv override to ensure xgrammar is resolved to a non-vulnerable version range.
uv.lock	Reflects the new resolution (xgrammar 0.1.32) and removes obsolete MLX-related packages from the lock.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[binaryaaron]

might want to file an issue to remove the pin someday since we've goofed that before; ty!

[kendrickb-nvidia]

Filed #273.

Going ahead and merging since dp and non-dp tests worked locally with make test-e2e