fix(deps): bump Python dependencies to fix 7 security vulnerabilities (#38447)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

requirements/base.in

@@ -18,8 +18,8 @@
 #
 # Security: CVE-2026-21441 - decompression bomb bypass on redirects
 urllib3>=2.6.3,<3.0.0
-# Security: GHSA-87hc-h4r5-73f7 - Windows path traversal fix
-werkzeug>=3.1.5,<4.0.0
+# Security: CVE-2026-27199 - Windows device name handling in safe_join
+werkzeug>=3.1.6,<4.0.0
 # Security: CVE-2025-68146 - TOCTOU symlink vulnerability
 filelock>=3.20.3,<4.0.0
 # Security: decompression bomb fix (required by aiohttp 3.13.3)

requirements/base.txt

@@ -54,7 +54,7 @@ certifi==2025.6.15
     # via
     #   requests
     #   selenium
-cffi==1.17.1
+cffi==2.0.0
     # via
     #   cryptography
     #   pynacl
@@ -86,7 +86,7 @@ cron-descriptor==1.4.5
     # via apache-superset (pyproject.toml)
 croniter==6.0.0
     # via apache-superset (pyproject.toml)
-cryptography==44.0.3
+cryptography==46.0.5
     # via
     #   apache-superset (pyproject.toml)
     #   paramiko
@@ -219,7 +219,7 @@ markupsafe==3.0.2
     #   mako
     #   werkzeug
     #   wtforms
-marshmallow==3.26.1
+marshmallow==3.26.2
     # via
     #   apache-superset (pyproject.toml)
     #   flask-appbuilder
@@ -317,9 +317,9 @@ pyjwt==2.10.1
     #   flask-appbuilder
     #   flask-jwt-extended
     #   redis
-pynacl==1.5.0
+pynacl==1.6.2
     # via paramiko
-pyopenssl==25.1.0
+pyopenssl==25.3.0
     # via shillelagh
 pyparsing==3.2.3
     # via apache-superset (pyproject.toml)
@@ -457,7 +457,7 @@ wcwidth==0.2.13
     # via prompt-toolkit
 websocket-client==1.8.0
     # via selenium
-werkzeug==3.1.5
+werkzeug==3.1.6
     # via
     #   -r requirements/base.in
     #   flask

requirements/development.txt

@@ -48,7 +48,7 @@ attrs==25.3.0
     #   referencing
     #   requests-cache
     #   trio
-authlib==1.6.5
+authlib==1.6.7
     # via fastmcp
 babel==2.17.0
     # via
@@ -115,7 +115,7 @@ certifi==2025.6.15
     #   httpx
     #   requests
     #   selenium
-cffi==1.17.1
+cffi==2.0.0
     # via
     #   -c requirements/base-constraint.txt
     #   cryptography
@@ -177,7 +177,7 @@ croniter==6.0.0
     # via
     #   -c requirements/base-constraint.txt
     #   apache-superset
-cryptography==44.0.3
+cryptography==46.0.5
     # via
     #   -c requirements/base-constraint.txt
     #   apache-superset
@@ -526,7 +526,7 @@ markupsafe==3.0.2
     #   mako
     #   werkzeug
     #   wtforms
-marshmallow==3.26.1
+marshmallow==3.26.2
     # via
     #   -c requirements/base-constraint.txt
     #   apache-superset
@@ -703,7 +703,7 @@ proto-plus==1.25.0
     # via
     #   google-api-core
     #   google-cloud-bigquery-storage
-protobuf==4.25.5
+protobuf==4.25.8
     # via
     #   google-api-core
     #   google-cloud-bigquery-storage
@@ -786,11 +786,11 @@ pyjwt==2.10.1
     #   redis
 pylint==3.3.7
     # via apache-superset
-pynacl==1.5.0
+pynacl==1.6.2
     # via
     #   -c requirements/base-constraint.txt
     #   paramiko
-pyopenssl==25.1.0
+pyopenssl==25.3.0
     # via
     #   -c requirements/base-constraint.txt
     #   shillelagh
@@ -1009,7 +1009,7 @@ sshtunnel==0.4.0
     # via
     #   -c requirements/base-constraint.txt
     #   apache-superset
-starlette==0.48.0
+starlette==0.49.1
     # via mcp
 statsd==4.0.1
     # via apache-superset
@@ -1111,7 +1111,7 @@ websocket-client==1.8.0
     #   selenium
 websockets==15.0.1
     # via fastmcp
-werkzeug==3.1.5
+werkzeug==3.1.6
     # via
     #   -c requirements/base-constraint.txt
     #   flask