chore: bump lxml and nbconvert to address security advisories

[johnnygreco]

📋 Summary

• Bumps lxml floor from 6.0.2 to 6.1.0 in data-designer-engine (direct dep) to pick up the upstream security fix.
• Adds nbconvert>=7.17.1 to the workspace constraint-dependencies block in the root pyproject.toml. nbconvert is transitive via jupyter (notebooks group); pinning here matches the existing pattern used for aiohttp, cryptography, and python-multipart.
• Regenerated uv.lock: lxml 6.0.2 → 6.1.0, nbconvert 7.17.0 → 7.17.1.

[greptile-apps]

Greptile Summary

This PR bumps lxml from 6.0.2 to 6.1.0 as a direct dependency in data-designer-engine to address a security advisory, and pins nbconvert>=7.17.1 as a workspace constraint to address a transitive security advisory via jupyter. The lockfile is regenerated accordingly, updating both packages to their patched versions.

Confidence Score: 5/5

This PR is safe to merge — it applies minimal, well-scoped security version bumps with no logic changes.

Changes are limited to version floor bumps and a lockfile regeneration. The approach matches the existing pattern in the workspace pyproject.toml. No logic, API, or configuration changes are present.

No files require special attention.

Important Files Changed

Filename	Overview
packages/data-designer-engine/pyproject.toml	Floor for lxml bumped from 6.0.2 to 6.1.0 to pick up the upstream security fix; no other changes.
pyproject.toml	nbconvert>=7.17.1 added to constraint-dependencies with an explanatory comment, consistent with the existing aiohttp/cryptography/python-multipart pattern.
uv.lock	Lockfile regenerated: lxml 6.0.2→6.1.0 and nbconvert 7.17.0→7.17.1, with the new nbconvert constraint entry added to the constraints block.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Root pyproject.toml\nconstraint-dependencies] -->|nbconvert>=7.17.1| B[nbconvert 7.17.1\nuv.lock]
    C[data-designer-engine\npyproject.toml] -->|lxml>=6.1.0,<7| D[lxml 6.1.0\nuv.lock]
    E[jupyter notebooks group] -.->|transitive dep| B
    C -->|direct dep| D

Loading

_{Reviews (1): Last reviewed commit: "chore: bump lxml and nbconvert to addres..." | Re-trigger Greptile}

[github-actions]

PR #574 Review — chore: bump lxml and nbconvert to address security advisories

Summary

This is a small, focused security-hygiene bump:

• lxml direct floor raised from >=6.0.2 to >=6.1.0 in packages/data-designer-engine/pyproject.toml (the only package that depends on it directly).
• nbconvert>=7.17.1 added to the workspace-level [tool.uv].constraint-dependencies in the root pyproject.toml — nbconvert is transitive via jupyter, so a constraint is the right lever.
• uv.lock regenerated to reflect both bumps (lxml 6.0.2 → 6.1.0, nbconvert 7.17.0 → 7.17.1). No other packages shift.

The substantive diff is three lines plus one comment; the rest of the 122/125 line churn is checksum updates in uv.lock.

Findings

Correctness & conventions

• Placement is consistent with existing pattern. nbconvert is transitive (via jupyter, which is in the optional notebooks group), so the constraint-dependencies block is the correct mechanism — matches how aiohttp, cryptography, and python-multipart are handled.
• The lxml direct bump is correctly scoped to data-designer-engine, the only package listing lxml in its own dependencies. Upper bound <7 is preserved.
• Comment block at pyproject.toml:34-38 is kept sorted alphabetically and the new line follows the established "<pkg> <old-ver>: <reason>" format. Good.
• Constraint list at pyproject.toml:39-44 stays alphabetical.
• uv.lock changes are limited to the two targeted packages — no collateral drift, which is what you want in a security-bump PR.

Minor nits (non-blocking)

• The comment for nbconvert just says "security advisory (transitive via jupyter)" while the aiohttp and cryptography entries cite specific CVEs. If a CVE or GHSA ID is known for the nbconvert 7.17.0 advisory, adding it would match the other entries and make future auditing easier. python-multipart also uses the vaguer form, so this is consistent with at least one existing entry — purely a polish suggestion.
• data-designer-engine/pyproject.toml bumps the floor but the upper bound stays <7; no action needed, just flagging that any future lxml major bump will need a coordinated update here.

Risk

• Very low. Patch/minor version bumps of well-established libraries, no API surface changes in either package between these versions that would plausibly affect DataDesigner's usage (lxml is used via stdlib-compatible APIs; nbconvert is only pulled via the notebooks extra).
• No source code changed, no tests changed — appropriate for a pure dependency bump.
• CI on this PR exercises the new pins; if lock resolution or downstream tests would break, they'd surface there.

Security

• This is the security work. The direction (raising floors) is correct and does not relax any existing constraint.
• No secrets, no credential changes, no new network surface.

Tests

• No test changes needed for a dependency floor bump. The existing suite exercises both packages transitively.

Verdict

LGTM. Minimal, correctly targeted, and consistent with the existing pattern in the repo. The only optional polish is citing a CVE/GHSA identifier in the nbconvert comment to match the aiohttp/cryptography style — not a blocker.