chore(security): update packages with issues

[paul-nechifor]

Problem

We have quite a few package security issues: https://github.com/dimensionalOS/dimos/security/dependabot

Closes DIM-XXX

Solution

• Upgrade some of the problem packages.

Breaking Changes

None.

How to Test

Contributor License Agreement

• I have read and approved the CLA.

[greptile-apps]

Greptile Summary

This PR addresses several Dependabot security advisories by relaxing or bumping version constraints across Python and JavaScript dependencies.

• Python (pyproject.toml): python-multipart raised to >=0.0.27, jinja2>=3.1.6 added to the web extra, langchain/langchain-core unpinned to >=...,<2, transformers raised to >=4.53.0,<4.54, and gdown relaxed to >=5.2.2; the standalone requirements.txt is deleted in favour of the [web] extra.
• JavaScript (command-center-extension): create-foxglove-extension loosened from the exact pin 1.0.6 to ^1.0.6 so patch-level security releases are picked up automatically.
• Lock files (uv.lock, package-lock.json) regenerated to match the new constraints.

Confidence Score: 4/5

Safe to merge with awareness that the web API form/file-upload routes remain broken for users following the updated README instructions.

The python-multipart dependency that was explicitly listed in the deleted requirements.txt is not carried over into the web extra, leaving FastAPI form/file endpoints silently broken for anyone installing via .[web] as the README now instructs.

pyproject.toml — the web extra is missing python-multipart, and the transformers upper-bound cap at 4.54 is narrower than the rest of the updated packages.

Important Files Changed

Filename	Overview
pyproject.toml	Security-motivated version bumps: python-multipart >=0.0.27, jinja2 >=3.1.6 added to web extra, langchain/langchain-core constraints widened, transformers pinned to >=4.53.0,<4.54, gdown loosened to >=5.2.2; mypy override for transformers added
dimos/web/dimos_interface/api/requirements.txt	File deleted; dependencies migrated to pyproject.toml extras, but python-multipart (previously listed here) is absent from the new web extra
dimos/web/dimos_interface/api/README.md	Updated install instructions to point users to pip install -e '.[web]' instead of the deleted requirements.txt
dimos/web/command-center-extension/package.json	create-foxglove-extension loosened from exact pin 1.0.6 to semver-compatible ^1.0.6 to allow patch/minor security updates
uv.lock	Lock file regenerated with updated resolutions: python-multipart 0.0.27, transformers 4.53.3, jinja2 3.1.6, langchain 1.2.17, langchain-core 1.3.3

_{Reviews (3): Last reviewed commit: "chore(security): update packages with is..." | Re-trigger Greptile}

[mustafab0]

👍