chore(deps): consolidate Dependabot security bumps

[sriramveeraghanta]

Consolidates the 9 open Dependabot security PRs into a single lockfile update. Each package is bumped to its first patched version, resolving all 13 open Dependabot security alerts. The change is uv.lock-only.

Security bumps

Package	Bump	Severity	Advisories	Supersedes
urllib3	2.6.3 → 2.7.0	high	GHSA-qccp-gfcp-xxvc, GHSA-mf9v-mfxr-j63j	#122
python-multipart	0.0.22 → 0.0.27	high / med	GHSA-pp6c-gr5w-3c5g, GHSA-mj87-hwqh-73pj	#120
authlib	1.6.9 → 1.6.12	medium	GHSA-r95x-qfjj-fjj2, GHSA-jj8c-mmj3-mmgv	#123
cryptography	46.0.5 → 46.0.7	medium / low	GHSA-p423-j2cm-9vmq, GHSA-m959-cc7f-wv43	#100
idna	3.11 → 3.15	medium	GHSA-65pc-fj4g-8rjx	#128
python-dotenv	1.2.1 → 1.2.2	medium	GHSA-mf9w-mj56-hr94	#112
pytest	9.0.2 → 9.0.3	medium	GHSA-6w46-j5rx-g56g	#107
requests	2.32.5 → 2.33.0	medium	GHSA-gc5v-m9x4-r6x2	#94
Pygments	2.19.2 → 2.20.0	low	GHSA-5239-wwwm-4pmq	#97

Versions are pinned to Dependabot's exact targets (the minimal patched versions) to keep the diff small and avoid major-version jumps — e.g. cryptography stays on 46.x rather than jumping to 48.x.

Lockfile realignment

Re-locking also corrects two entries the committed uv.lock had drifted from pyproject.toml:

• plane-sdk 0.2.10 → 0.2.12 (pyproject.toml pins plane-sdk==0.2.12)
• root plane-mcp-server 0.2.10 → 0.2.9 (pyproject.toml declares version = "0.2.9")

Any uv lock produces these, since the prior lock was inconsistent with pyproject.toml.

Verification

• uv lock --check passes (lock consistent with pyproject.toml)
• uv sync resolves cleanly; plane_mcp / plane_mcp.server import OK
• pytest tests/test_oauth_security.py tests/test_stateless_http.py → 13 passed (exercises authlib/cryptography auth stack)
• Live integration tests require a running server + OAuth provider config and were not run in this environment

Supersedes and closes #94, #97, #100, #107, #112, #120, #122, #123, #128.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4e8f59e6-7139-4724-ab82-e35787283154

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/deps-security-bumps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}