fix(deps): unblock pip security updates

[TimeToBuildBob]

What changed

• Raised the root Poetry project Python constraint from ^3.8 to ^3.9, matching the release workflow's Python 3.9 build matrix.
• Removed the unused direct urllib3 <2 dependency. Nothing in the meta-repo imports urllib3, and the old CacheControl workaround is no longer useful here.
• Refreshed poetry.lock, which removes urllib3 from the locked dependency graph and updates setuptools from 75.2.0 to 82.0.1.

Why

Dependabot security-update runs on master are failing with security_update_not_possible:

• urllib3: latest resolvable 1.26.20, fixed version 2.7.0
• setuptools: latest resolvable 75.2.0, fixed version 78.1.1
• pytest: latest resolvable 8.3.3, fixed version 9.0.3

This PR fixes the resolvable parts: it removes the unused urllib3 edge entirely and lets setuptools resolve past the fixed threshold.

pytest still resolves only to 8.4.2 after the Python 3.9 constraint update, so the pytest >=9.0.3 security update is still not currently satisfiable through the normal Poetry resolver.

Verification

• poetry update pytest setuptools
• poetry check --lock
• poetry run python -c "import pytest, setuptools; print(pytest.__version__); print(setuptools.__version__)"
• poetry show urllib3 confirms urllib3 is no longer installed

[greptile-apps]

Greptile Summary

This PR unblocks Dependabot security updates by raising the root meta-repo's Python floor from 3.8 to 3.9 (matching the existing release-workflow matrix) and removing the stale urllib3 <2 pin that was preventing urllib3 from resolving to its security-fixed version.

• Python 3.8 drop & urllib3 removal: pyproject.toml bumps python = "^3.9" and drops the urllib3 = "<2" workaround (originally added for a CacheControl compatibility issue that no longer applies to this meta-repo).
• Lock file refresh: poetry.lock reflects the constraint update — setuptools moves from 75.2.0 → 82.0.1, pytest from 8.3.3 → 8.4.2 (with pygments now a runtime dependency of pytest 8.4.2), urllib3 1.26.20 is removed, and importlib_metadata/zipp install markers are correctly narrowed from < "3.10" to == "3.9" for the tighter Python floor.

Confidence Score: 5/5

Safe to merge — changes are limited to the dev-environment lockfile and meta-repo constraints, with no functional code affected.

The PR only modifies dependency constraints and the generated lockfile. Python 3.8 reached end-of-life in October 2024 and the release workflow already targets 3.9, so the floor bump is consistent with existing practice. The urllib3 removal is safe because the meta-repo never imports it directly. All lockfile changes (setuptools 82.0.1, pytest 8.4.2, pygments addition, narrowed backport markers) are mechanically correct outputs of poetry update under the new constraint. The outstanding pytest security update is explicitly acknowledged as not yet resolvable and is out of scope for this PR.

No files require special attention.

Important Files Changed

Filename	Overview
pyproject.toml	Python floor raised to 3.9, urllib3 pin removed, pyinstaller constraint updated accordingly — all changes are consistent and intentional.
poetry.lock	Lock file regenerated: urllib3 removed, setuptools bumped to 82.0.1, pytest bumped to 8.4.2, pygments added as pytest's new runtime dep, importlib_metadata/zipp markers narrowed from < '3.10' to == '3.9' (correct for a >=3.9 floor), content-hash updated.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[pyproject.toml\npython = '^3.9'] --> B[poetry update\npytest setuptools]
    B --> C{Dependency resolution}
    C --> D[setuptools 75.2.0 → 82.0.1\n✅ security fix]
    C --> E[pytest 8.3.3 → 8.4.2\n⚠️ 9.0.3 still unresolvable]
    C --> F[urllib3 1.26.20\n🗑️ removed — pin dropped]
    C --> G[pygments 2.20.0\n➕ new runtime dep of pytest 8.4.2]
    D --> H[poetry.lock refreshed\ncontent-hash updated]
    E --> H
    F --> H
    G --> H

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[pyproject.toml\npython = '^3.9'] --> B[poetry update\npytest setuptools]
    B --> C{Dependency resolution}
    C --> D[setuptools 75.2.0 → 82.0.1\n✅ security fix]
    C --> E[pytest 8.3.3 → 8.4.2\n⚠️ 9.0.3 still unresolvable]
    C --> F[urllib3 1.26.20\n🗑️ removed — pin dropped]
    C --> G[pygments 2.20.0\n➕ new runtime dep of pytest 8.4.2]
    D --> H[poetry.lock refreshed\ncontent-hash updated]
    E --> H
    F --> H
    G --> H

Loading

_{Reviews (1): Last reviewed commit: "fix(deps): unblock pip security updates" | Re-trigger Greptile}

[TimeToBuildBob]

Root cause was the packaging environment, not the Python floor bump itself.

The previous lock refresh pulled in setuptools 82.0.1, and the non-Windows release jobs were dying in the Package step with ModuleNotFoundError: No module named 'pkg_resources'. PyInstaller in this repo still imports pkg_resources, so I pinned setuptools to >=78.1.1,<81 and refreshed poetry.lock.

Local verification on the PR branch:

• poetry install
• python -c "import setuptools, pkg_resources; print(setuptools.__version__)"

That now resolves setuptools 80.10.2 and restores pkg_resources. Fresh CI is running on commit 6eef3d4.