chore: Update dependencies in pyproject.toml and uv.lock

[AjayThorve]

• Added override dependencies for authlib, tornado, and pyopenssl with specified versions.
• Updated versions of authlib (1.6.9), pyopenssl (26.0.0), fickling (0.1.10), and nltk (3.9.3) in uv.lock.
• Removed stdlib-list package from uv.lock.

[greptile-apps]

Greptile Summary

This PR adds override-dependencies to the [tool.uv] configuration in pyproject.toml to enforce minimum patched versions of authlib, tornado, and pyopenssl across the entire workspace, and regenerates uv.lock to reflect the resolved versions. The approach is the correct uv mechanism for propagating security-fix version floors through a monorepo workspace.

Key changes:

• Added [tool.uv] override-dependencies enforcing authlib>=1.6.9, tornado>=6.5.5, pyopenssl>=26.0.0 — these ensure transitive consumers cannot accidentally resolve to older, potentially vulnerable versions.
• authlib bumped 1.6.7 → 1.6.9, tornado 6.5.4 → 6.5.5, pyopenssl 25.3.0 → 26.0.0 (major version), fickling 0.1.7 → 0.1.10, nltk 3.9.2 → 3.9.3.
• fickling 0.1.10 drops its dependency on stdlib-list, so that package is removed from the lock file entirely — reducing the dependency footprint.
• The pyopenssl bump crosses a major version boundary (25.x → 26.0.0). While pyopenssl is typically a transitive dependency not called directly, it is worth verifying that no workspace package carries an upper-bound constraint like pyopenssl<26 that would be silently overridden and could cause runtime incompatibilities.

Confidence Score: 4/5

• This PR is safe to merge; it applies security-motivated version overrides using the correct uv mechanism with a minor caveat around the pyopenssl major version bump.
• All changes are dependency version bumps with regenerated lock hashes. The uv override mechanism is used correctly. The only non-trivial risk is the pyopenssl 25.x → 26.0.0 major version jump, which carries a theoretical risk of breaking API changes if any workspace package has an undeclared upper-bound constraint; however pyopenssl is typically consumed only as a transitive dependency and the project targets Python >=3.11 on modern systems.
• No files require special attention, though a quick check of workspace pyproject.toml files for any pyopenssl<26 upper-bound constraints is advisable before merging.

Important Files Changed

Filename	Overview
pyproject.toml	Adds [tool.uv] override-dependencies for authlib>=1.6.9, tornado>=6.5.5, and pyopenssl>=26.0.0 to enforce minimum secure versions workspace-wide.
uv.lock	Lock file regenerated with new overrides header and updated package versions: authlib 1.6.9, fickling 0.1.10 (stdlib-list dep removed), nltk 3.9.3, pyopenssl 26.0.0, tornado 6.5.5; stdlib-list package entry removed entirely.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A([uv sync / uv pip install]) --> B{Resolve dependency graph}
    B --> C[Evaluate each package version]
    C --> D{Matches override-dependencies?}
    D -- "authlib, tornado, pyopenssl" --> E[Apply minimum version floor]
    D -- "All other packages" --> F[Use standard resolution]
    E --> G{Resolved version >= override?}
    G -- Yes --> H[Use resolved version]
    G -- No --> I[Force upgrade to override floor]
    F --> H
    I --> H
    H --> J[Write to uv.lock]
    J --> K[(Installed environment)]

    style E fill:#f90,color:#000
    style I fill:#f90,color:#000

Loading

_{Last reviewed commit: 65065cb}