fix: bump deps and base image to clear security scan CVEs

[glageju]

Summary

The daily Grype security scan (workflow) has been failing on main. This PR clears every "medium or higher, fix available" finding from both the filesystem and
image scans.

Vulnerabilities fixed

Source	Package	From → To	Severity	Advisory
pyproject.toml (runtime)	python-multipart	0.0.26 → 0.0.27	High	GHSA-pp6c-gr5w-3c5g
pyproject.toml (security group)	pip	26.0.1 → 26.1	Medium	GHSA-jp4c-xjxw-mgf9
pyproject.toml (security group)	urllib3	2.6.3 → 2.7.0	High	GHSA-mf9v-mfxr-j63j, GHSA-qccp-gfcp-xxvc
Dockerfile (Alpine 3.23 base)	xz-libs	5.8.2-r0 → 5.8.3-r0	Medium	CVE-2026-34743

pip and urllib3 come in transitively via pip-audit (dev/security group only), so they're pinned in the security group following the same pattern already used for lxml. python-multipart is a runtime transitive via fastapi and
mcp.

The Dockerfile base image SHAs were bumped to the latest DHI python:3.13-alpine3.23 and -dev manifests, which carry xz-libs 5.8.3-r0.

Test plan

• task lint — all checks passed
• task typecheck — all checks passed
• task test — 11 passed, 3 integration skipped
• task security — pip-audit and bandit clean
• grype dir:. --fail-on medium --only-fixed — no vulnerabilities found
• docker build + grype mcp-template-py:cve-test --fail-on medium --only-fixed — no vulnerabilities found
• Confirm the scheduled Security Scan workflow passes on this branch