CORE-780: pin urllib3 to 2.7.0 for Dependabot high alerts

[NoyaArie]

Summary

Adds an explicit urllib3 = ">=2.7.0,<3.0.0" constraint to pyproject.toml to address two open Dependabot high-severity alerts. urllib3 is a transitive dep here (via requests and boto3); since this repo has no poetry.lock checked in, an explicit constraint in pyproject.toml is the canonical way to ensure consumers (pip install elementary-data) install the fixed version.

CVEs addressed:

• GHSA-mf9v-mfxr-j63j — Decompression-bomb safeguards bypassed in parts of the streaming API (vulnerable >=2.6.0,<2.7.0).
• urllib3 — Sensitive headers forwarded across origins in proxied low-level redirects (vulnerable >=1.23,<2.7.0).

Version-only PR — no code changes. urllib3 is only used transitively (no direct imports in the codebase).

Linear: CORE-780.

Review & Testing Checklist for Human

• Confirm CI passes (lint, mypy, unit tests, E2E — commit message includes [run-e2e]).
• Sanity check the pyproject.toml constraint is compatible with requests>=2.28.1,<3.0.0 (it is — requests only requires urllib3>=1.21.1,<3).

Notes

• No other open Dependabot high/critical alerts exist on this repo.

Link to Devin session: https://app.devin.ai/sessions/84074f4ff245446a97461691ad950635
Requested by: @NoyaArie

---

Summary by CodeRabbit

• Chores
  • Added urllib3 as an explicit project dependency to ensure consistent library compatibility across environments.

[linear]

CORE-780

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[github-actions]

👋 @NoyaArie
Thank you for raising your pull request.
Please make sure to add tests and document all user-facing changes.
You can do this by editing the docs files in this pull request.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 43aac3a8-0433-430d-a98a-ffca2600d075

📥 Commits

Reviewing files that changed from the base of the PR and between 55d4776 and 9551705.

📒 Files selected for processing (1)

• pyproject.toml

---

📝 Walkthrough

Walkthrough

This PR adds an explicit dependency constraint for urllib3 to the Poetry configuration, pinning it to >=2.7.0,<3.0.0. This ensures a compatible urllib3 version is installed alongside other project dependencies.

Changes

Dependency Management

Layer / File(s)	Summary
urllib3 version constraint pyproject.toml	Poetry dependency list is updated to explicitly require urllib3 >=2.7.0,<3.0.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 With whiskers twitched and paws up high,
urllib3 is pinned to 2.7, oh my!
No major breaks shall come our way,
This little hop saves the day! 🌟

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: pinning urllib3 to address Dependabot security alerts, matching the primary objective of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch core-780-bump-urllib3

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 1 additional finding.