security: bump msgpack floor to 1.2.1 (GHSA-6v7p-g79w-8964)

[27Bslash6]

What

Bumps the msgpack floor >=1.1.2 → >=1.2.1 to clear GHSA-6v7p-g79w-8964 (HIGH, published 2026-06-19 21:42 UTC).

Why

msgpack is the default L2 serializer and deserializes bytes read back from the cache backend. The advisory: Unpacker can perform an out-of-bounds read / SEGV if reused after a caught error — so a poisoned/malformed cache payload could crash the client. Fixed upstream in msgpack 1.2.1.

This is not specific to any open feature branch — the advisory landed ~1.5h before nightly/PR CI ran and turned pip-audit red on every branch incl. main. This PR unblocks all of them.

How

• Resolved at source (direct-dependency floor bump), per security-fast.yml's no-suppressions policy. No constraint-dependencies entry needed (that mechanism is for transitive deps only).
• uv.lock churn is msgpack's platform wheel-hash list only — no other package drifted (verified: zero name = lines changed, single version line 1.1.2→1.2.1).

Verification

• uv run pip-audit → No known vulnerabilities found (was: 1)
• StandardSerializer roundtrip smoke clean under msgpack 1.2.1

Summary by CodeRabbit

• Chores
  • Updated a core dependency to a newer version for improved stability and performance.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6d07f008-2c37-4592-a71f-8b9802c32e87

📥 Commits

Reviewing files that changed from the base of the PR and between faa06f7 and 4c18741.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• pyproject.toml

---

Walkthrough

The minimum required version of the msgpack dependency in pyproject.toml is raised from 1.1.2 to 1.2.1. No other files or declarations are modified.

Changes

msgpack Dependency Version Bump

Layer / File(s)	Summary
Raise msgpack minimum version to 1.2.1 pyproject.toml	The msgpack lower-bound version constraint under [project] dependencies is updated from >=1.1.2 to >=1.2.1.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description provides clear context on what, why, and how the change addresses the security vulnerability, but does not follow the required template structure with sections like Motivation, Type of Change, Security Checklist, etc.	Restructure the description to align with the repository's template, ensuring all required sections (Type of Change, Security Checklist, Testing, Backward Compatibility) are completed.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: bumping msgpack to address the GHSA-6v7p-g79w-8964 security vulnerability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/msgpack-cve

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}