fix(deps): security and dependency updates

[mattatcha]

Summary

Fixes open dependabot security alerts and consolidates 6 open dependabot PRs into a single update.

Security Fixes

• pypdf ~6.7.4 → ~6.7.5 — CVE: inefficient ASCIIHexDecode stream decoding (medium)
• urllib3 ≥2.6.3 override added — CVE: decompression-bomb bypass on redirects (high)

Dev Dependency Bumps

• ruff 0.14.7 → 0.15.1 (auto-fixed 13 lint issues from new rules)
• mypy 1.19.0 → 1.19.1
• pre-commit 4.5.0 → 4.5.1
• types-regex 2024.11.6 → 2026.1.15
• boto3-stubs 1.40.54 → 1.42.40

Not Addressed

• diskcache ≤5.6.3 (medium) — no patch available, pulled in by instructor
• langchain-core <1.2.11 (low, SSRF) — fix requires 1.x but langchain-apify pins <0.4.0

Supersedes #4679, #4486, #4485, #4406, #4357, #4355

---

Note

Medium Risk
Primary risk is dependency behavior changes from urllib3/pypdf and updated lint/type-check tooling; runtime code changes are minimal and mostly formatting/cleanup. Potential for subtle CI/test or network-stack differences after the lockfile and override updates.

Overview
Consolidates dependency and security updates by bumping pypdf (in crewai-files) and adding an urllib3>=2.6.3 override, with the lockfile updated to reflect the new constraint and simplified urllib3 resolution.

Updates dev tooling versions (ruff, mypy, pre-commit, types-regex, boto3-stubs) and applies corresponding small lint/format cleanups across a few modules (import ordering/whitespace, removing an abstract-method pass, and minor __init__.py tidy-ups).

^{Written by Cursor Bugbot for commit f89cbbb. This will update automatically on new commits. Configure here.}