security: fix 7 high/critical Dependabot alerts

[MikaKerman]

Summary

• Remove dbt-fabricspark and dbt-vertica from optional deps — both were already excluded from the all extra, and their outdated upstream pins (dbt-core==1.8.5, azure-cli pre-release) forced vulnerable transitive dependency versions to be resolved
• Without them, poetry resolves all 7 high/critical Dependabot alerts to patched versions naturally:
  • deepdiff 8.6.1 → 8.6.2 (CVE-2025-58367 critical RCE + CVE-2026-33155 high DoS)
  • lxml 5.3.1 → 6.1.0 (CVE-2026-41066 XXE)
  • pyopenssl 24.3.0 → 26.1.0 (CVE-2026-27459 buffer overflow)
  • cryptography 46.0.3 → 47.0.0 (CVE-2026-26007 subgroup attack)
  • protobuf 4.25.6 → 6.33.6 (CVE-2026-0994 recursion bypass)
  • azure-core 1.36.0 → 1.39.0 (CVE-2026-21226 deserialization)
• Users who need these adapters can still install them directly (e.g. pip install dbt-fabricspark dbt-vertica)

Test plan

• Verify Dependabot alerts clear after merge
• If alerts persist, add explicit minimum version pins as a follow-up

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Added core runtime dependencies with minimum versions for deepdiff, lxml, pyopenssl, cryptography, protobuf, and azure-core.
  • Removed optional adapter support for Fabric Spark and Vertica platforms.

[github-actions]

👋 @MikaKerman
Thank you for raising your pull request.
Please make sure to add tests and document all user-facing changes.
You can do this by editing the docs files in this pull request.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b0851c25-3d67-4b7c-ac71-8d405851b946

📥 Commits

Reviewing files that changed from the base of the PR and between bd69f67 and 0713e63.

📒 Files selected for processing (1)

• pyproject.toml

---

📝 Walkthrough

Walkthrough

Removed optional dbt-fabricspark and dbt-vertica dependencies and their corresponding extras from pyproject.toml; updated comments to state adapters are excluded from lockfile resolution because their transitive pins block security patches, while still permitting direct installation outside Poetry extras.

Changes

Cohort / File(s)	Summary
Dependency and Extras Management pyproject.toml	Removed optional adapter dependencies dbt-fabricspark and dbt-vertica from [tool.poetry.dependencies] and deleted their fabricspark/vertica entries from [tool.poetry.extras]. Updated explanatory comments to note adapters are excluded from lockfile resolution due to transitive pinning blocking security patches, but can be installed directly outside Poetry extras.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰
I nibbled through the lockfile’s vine,
Two adapters pruned so patches can shine,
Comments updated, the path now clear,
Direct installs still hop right near,
A joyful twitch — secure and fine! 🎋

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and specifically identifies the main change: fixing high/critical security vulnerabilities through dependency updates, which aligns with the primary objective of resolving seven Dependabot alerts.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/dependabot-high-critical-alerts

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

pyproject.toml (1)

39-44: Consider adding upper bounds to new security-floor pins to reduce resolver drift

Lines 39-44 add important minimum versions for security-sensitive packages, but leaving them open-ended can pull untested future major releases. The project establishes a pattern of using ranges (e.g., slack-sdk = ">=3.20.1,<4.0.0", tenacity = ">=8.0,<10.0"). For deterministic installs, cap these at the next major version:

Proposed diff

-deepdiff = ">=8.6.2"
-lxml = ">=6.1.0"
-pyopenssl = ">=26.0.0"
-cryptography = ">=46.0.5"
-protobuf = ">=5.29.6"
-azure-core = ">=1.38.0"
+deepdiff = ">=8.6.2,<9.0.0"
+lxml = ">=6.1.0,<7.0.0"
+pyopenssl = ">=26.0.0,<27.0.0"
+cryptography = ">=46.0.5,<47.0.0"
+protobuf = ">=5.29.6,<6.0.0"
+azure-core = ">=1.38.0,<2.0.0"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pyproject.toml` around lines 39 - 44, These new security-floor pins
(deepdiff, lxml, pyopenssl, cryptography, protobuf, azure-core) should include
an upper-bound to avoid pulling future major, potentially breaking releases;
update each version spec from e.g. deepdiff = ">=8.6.2" to a range that caps at
the next major (e.g. ">=8.6.2,<9.0.0") and do the same for lxml ("<7.0.0"),
pyopenssl ("<27.0.0"), cryptography ("<47.0.0"), protobuf ("<6.0.0"), and
azure-core ("<2.0.0") so the resolver remains deterministic and consistent with
the project's existing pattern.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pyproject.toml`:
- Around line 39-44: These new security-floor pins (deepdiff, lxml, pyopenssl,
cryptography, protobuf, azure-core) should include an upper-bound to avoid
pulling future major, potentially breaking releases; update each version spec
from e.g. deepdiff = ">=8.6.2" to a range that caps at the next major (e.g.
">=8.6.2,<9.0.0") and do the same for lxml ("<7.0.0"), pyopenssl ("<27.0.0"),
cryptography ("<47.0.0"), protobuf ("<6.0.0"), and azure-core ("<2.0.0") so the
resolver remains deterministic and consistent with the project's existing
pattern.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e387224b-02ba-4399-b356-d554d55fb420

📥 Commits

Reviewing files that changed from the base of the PR and between c24a73a and bd69f67.

📒 Files selected for processing (1)

• pyproject.toml

[haritamar]

Do we actually need to add all these? Aren't they resolved automatically after removing the libs below?

[MikaKerman]

Tested it locally, and you're right. Just removing dbt-fabricspark and dbt-vertica is enough. Poetry resolves all six packages to patched versions automatically without explicit pins. Updated the PR to use the cleaner approach. If Dependabot doesn't clear the alerts after merge, we can add pins as a follow-up.