[Aikido] Fix 6 security issues in urllib3, requests

[aikido-autofix]

Upgrade urllib3 and requests to fix decompression bomb DoS vulnerabilities, SSRF bypass, and redirect control issues.

✅ Code not affected by breaking changes.

No breaking changes from the urllib3 (2.2.3 => 2.6.3) or requests (2.32.3 => 2.33.0) upgrades affect this codebase.

The codebase:

• Does not import or use urllib3 or requests directly

• Does not use the removed HTTPResponse.getheaders() or HTTPResponse.getheader() methods

• Does not implement custom ContentDecoder classes

• Requires Python >=3.12 (as specified in pyproject.toml), which is well above the dropped support for Python 3.8 (urllib3) and Python 3.9 (requests)

All breaking changes are irrelevant to this codebase.

All breaking changes by upgrading urllib3 from version 2.2.3 to 2.6.3 (CHANGELOG)

Version	Description
2.3.0	Removed support for Python 3.8.
2.6.0	Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers. Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default).
2.6.0	The number of allowed chained encodings is now limited to 5, which may cause previously working requests with more than 5 chained Content-Encoding values to fail.
2.6.0	Custom decompressors must be updated to respect the changed API of urllib3.response.ContentDecoder.

All breaking changes by upgrading requests from version 2.32.3 to 2.33.0 (CHANGELOG)

Version	Description
2.33.0	Dropped support for Python 3.9 following its end of support.

✅ 6 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2025-66418	HIGH	[urllib3] An unbounded decompression chain vulnerability allows malicious servers to insert unlimited compression steps, causing excessive CPU usage and memory allocation. This leads to denial of service through resource exhaustion.
CVE-2025-66471	HIGH	[urllib3] The Streaming API improperly handles highly compressed data, allowing attackers to cause excessive CPU usage and massive memory allocation through decompression of small compressed payloads. This results in a denial-of-service vulnerability via resource exhaustion.
CVE-2026-21441	HIGH	[urllib3] Decompression bomb vulnerability in streaming API for HTTP redirects. Malicious servers can trigger excessive resource consumption by sending compressed redirect responses that are fully decompressed without respecting read limits.
CVE-2025-50181	MEDIUM	[urllib3] A vulnerability allows disabling redirects for all requests through improper PoolManager instantiation with retries configuration, potentially bypassing SSRF and open redirect mitigations. Applications relying on disabled redirects to prevent these vulnerabilities remain exposed to attacks.
CVE-2025-50182	MEDIUM	[urllib3] A vulnerability allows uncontrolled HTTP redirects in browser and Node.js environments when using Pyodide, as redirect control parameters are ignored by the runtime. This could enable open redirect attacks or redirect-based security bypasses.
CVE-2026-25645	MEDIUM	[requests] A predictable filename vulnerability in the extract_zipped_paths() utility function allows local attackers to pre-create malicious files in the temp directory that would be loaded instead of legitimate ones, enabling arbitrary code execution.