fix: bump pytest, aiohttp, and cryptography for security CVEs

pyproject.toml

@@ -31,12 +31,19 @@ members = [
 # IMPORTANT: This root is NOT a package. It only defines workspace configuration.
 package = false
 required-version = ">=0.7.10"
+# Minimum versions for transitive dependencies with known security vulnerabilities.
+# aiohttp 3.13.3: CVE-2026-22815, CVE-2026-34513 through CVE-2026-34525 (multiple DoS, CRLF injection, credential theft)
+# cryptography 46.0.6: CVE-2026-39892 (buffer overflow on Python >3.11)
+constraint-dependencies = [
+    "aiohttp>=3.13.5",
+    "cryptography>=46.0.7",
+]
 
 [dependency-groups]
 dev = [
     "jsonpath-ng>=1.5.3,<2",
     "pre-commit>=4.0.0,<5",
-    "pytest>=9.0.2,<10",
+    "pytest>=9.0.3,<10",
     "pytest-asyncio>=1.3.0,<2",
     "pytest-cov>=7.0.0,<8",
     "pytest-env>=1.2.0,<2",

tests_e2e/pyproject.toml

@@ -12,7 +12,7 @@ data-designer = { path = "../packages/data-designer" }
 
 [dependency-groups]
 dev = [
-  "pytest>=9.0.2,<10",
+  "pytest>=9.0.3,<10",
 ]
 
 [project.entry-points."data_designer.plugins"]
@@ -31,6 +31,11 @@ env = [
 [tool.uv]
 package = true
 required-version = ">=0.7.10"
+# Minimum versions for transitive dependencies with known security vulnerabilities.
+constraint-dependencies = [
+  "aiohttp>=3.13.5",
+  "cryptography>=46.0.7",
+]
 
 [build-system]
 requires = ["hatchling"]