Update dependency cyclonedx-bom to >=7.3.0 - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
cyclonedx-bom (changelog)	>=6.0.0 → >=7.3.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

CycloneDX/cyclonedx-python (cyclonedx-bom)

v7.3.0

Compare Source

Features

• Add -S flag to skip *.pth evaluation during environment analysis
  (#​1032,
  55c15d7)

v7.2.2

Compare Source

Documentation

• Modernize RTF setup (#​1002,
  206c17e)

---

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

• Branch creation
  • "after 1am and before 7am every weekday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[claude]

PR Review - Dependency Update: cyclonedx-bom >=7.2.2

Summary

This PR updates cyclonedx-bom from >=6.0.0 to >=7.2.2 (actual lock update: 7.2.1 → 7.2.2).

✅ Code Quality

• Clean dependency update with minimal changes
• Follows project convention of using >= version constraints in pyproject.toml

🔍 Observations

Major version jump (6.x → 7.x):

• The constraint change from >=6.0.0 to >=7.2.2 is a major version upgrade that may include breaking changes
• The lock file shows only a patch update (7.2.1 → 7.2.2), suggesting v7.x was already in use
• Recommendation: Document why the minimum version is being pinned to 7.2.2 specifically, or consider using >=7.0.0 for consistency with the previous pattern

Version constraint specificity:

• New constraint >=7.2.2 is unusually specific for a minimum bound
• This limits flexibility for future patch versions below 7.2.2 (though they're already released)
• Consider if >=7.0.0 or >=7.2.0 would be more appropriate unless 7.2.2 specifically fixes a critical issue

Security & Dependencies

• ✅ This is a security tooling dependency (optional group), low risk
• ✅ No changes to production code
• ✅ Only affects the security extra dependency group

Testing

• Ensure 'task security' runs successfully with the new version
• Verify SBOM generation still works as expected

Verdict

LGTM with minor suggestion - Consider relaxing the constraint to >=7.0.0 or >=7.2.0 unless 7.2.2 specifically addresses a required fix.