build(pip): update pygithub requirement from <3,>=1.59 to >=2.9.1,<3 in /check-vulnerabilities

[dependabot]

Updates the requirements on pygithub to permit the latest version.

Release notes

Sourced from pygithub's releases.

v2.9.1

Bug Fixes

• Fix getting release by tag in lazy mode by @​EnricoMi in PyGithub/PyGithub#3469

Full Changelog: PyGithub/PyGithub@v2.9.0...v2.9.1

Changelog

Sourced from pygithub's changelog.

Version 2.9.1 (April 14, 2026)

Bug Fixes ^^^^^^^^^

• Fix getting release by tag in lazy mode ([#3469](https://github.com/pygithub/pygithub/issues/3469) <https://github.com/PyGithub/PyGithub/pull/3469>) (7d1ba281e <https://github.com/PyGithub/PyGithub/commit/7d1ba281e>)

Version 2.9.0 (March 22, 2026)

Notable changes ^^^^^^^^^^^^^^^

Lazy PyGithub objects """""""""""""""""""""

The notion of lazy objects has been added to some PyGithub classes in version 2.6.0. This release now makes all CompletableGithubObject\s optionally lazy (if useful). See [#3403](https://github.com/pygithub/pygithub/issues/3403) <https://github.com/PyGithub/PyGithub/pull/3403>_ for a complete list.

In lazy mode, getting a PyGithub object does not send a request to the GitHub API. Only accessing methods and properties sends the necessary requests to the GitHub API:

.. code-block:: python

# Use lazy mode
g = Github(auth=auth, lazy=True)
these method calls do not send requests to the GitHub API
user = g.get_user("PyGithub")    # get the user
repo = user.get_repo("PyGithub") # get the user's repo
pull = repo.get_pull(3403)       # get a known pull request
issue = pull.as_issue()          # turn the pull request into an issue
these method and property calls send requests to Github API
issue.create_reaction("rocket")  # create a reaction
created = repo.created_at        # get property of lazy object repo
once a lazy object has been fetched, all properties are available (no more requests)
licence = repo.license

All PyGithub classes that implement CompletableGithubObject support lazy mode (if useful). This is only useful for classes that have methods creating, changing, or getting objects.

By default, PyGithub objects are not lazy.

PyGithub objects with a paginated property """"""""""""""""""""""""""""""""""""""""""

The GitHub API has the "feature" of paginated properties.

... (truncated)

Commits

• 73742d4 Release 2.9.1 (#3478)
• 7d1ba28 Fix getting release by tag in lazy mode (#3469)
• 3a17ecf Release 2.9.0 (#3465)
• b1a9b7e Consider per-page settings when iterating paginated properties (#3377)
• 24305f6 Update test key pair (#3453)
• f2540db Deprecate Reaction.delete (#3435)
• 19e1c50 Add throw option to Workflow.create_dispatch to raise exceptions (#2966)
• 6461909 Add Secret Scanning Alerts and Improve Code Scan Alerts (#3307)
• 95648db Add Python 3.14 to CI and tox (#3429)
• 3716bab Use GET url or _links.self as object url (#3421)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)