fix: address nspect vulnerability report for requests and cryptography

[johnnygreco]

Summary

• Bump requests lower bound from >=2.32 to >=2.33 to exclude vulnerable 2.32.x versions
• Update lockfile to pull cryptography 46.0.6 (transitive dep, lockfile-only fix)
• Clean up outdated requests<2.33 warning comment in engine pyproject.toml

[greptile-apps]

Greptile Summary

This PR addresses two security vulnerabilities reported by nspect: it raises the requests lower bound from >=2.32 to >=2.33 to exclude vulnerable 2.32.x versions, and bumps cryptography from 46.0.5 to 46.0.6 in the lockfile. A no-longer-needed comment about RequestsDependencyWarning in data-designer-engine is also cleaned up.

• packages/data-designer-config/pyproject.toml: requests>=2.33,<3 replaces >=2.32; pygments>=2.20,<3 replaces >=2.19.2 (not mentioned in PR description)
• packages/data-designer-engine/pyproject.toml: Stale comment about requests<2.33 incompatibility removed from the chardet pin
• uv.lock: Lockfile updated to requests==2.33.0 and cryptography==46.0.6 with correct hashes; all changes are internally consistent

Confidence Score: 5/5

Safe to merge — all security fixes are correct and the lockfile is fully consistent with the updated constraints.

All changes are straightforward security version bumps with no logic changes. The lockfile hashes match the new package versions, the requests specifier is correctly updated across pyproject.toml and the lock, and the cryptography patch bump is lockfile-only as described. The only finding is a P2 style note about an undocumented pygments lower-bound bump, which does not affect correctness.

No files require special attention.

Important Files Changed

Filename	Overview
packages/data-designer-config/pyproject.toml	Bumps requests lower bound to >=2.33 (security fix) and pygments lower bound to >=2.20 (undocumented in PR description but lockfile is consistent).
packages/data-designer-engine/pyproject.toml	Removes now-obsolete RequestsDependencyWarning note from chardet pin comment; no functional dependency changes.
uv.lock	Updates cryptography 46.0.5 → 46.0.6 and requests 2.32.x → 2.33.0, consistent with pyproject.toml constraints; all hashes regenerated correctly.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: packages/data-designer-config/pyproject.toml
Line: 28

Comment:
**Undocumented `pygments` version bump**

The lower bound for `pygments` was silently raised from `>=2.19.2` to `>=2.20` — this change is not mentioned in the PR description or title. The lockfile correctly reflects `pygments 2.20.0`, so there's no consistency issue, but it's worth documenting the intent. Was this bump intentional (e.g., a vulnerability fix or required feature)? If so, please add it to the PR summary so reviewers and changelog readers have the full picture.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (2): Last reviewed commit: "fix: bump pygments lower bound to >=2.20..." | Re-trigger Greptile}