CORE-1048: pin minimum versions for msgpack and cryptography to fix Dependabot alerts

[haritamar]

Summary

Add minimum version constraints for two transitive dependencies with known Dependabot high-severity alerts:

Package	Constraint	Via	Advisory
msgpack	>=1.2.1	CacheControl	OOB read / crash on Unpacker reuse after caught error
cryptography	>=48.0.1	SecretStorage	Vulnerable OpenSSL included in wheels

Follows the same pattern used for idna = \">=3.15,<4\" (CVE-2025-46816). No lockfile in this repo, so pinning in pyproject.toml is the only way to enforce the minimum safe version.

Link to Devin session: https://app.devin.ai/sessions/7a118cfb43a8447e839fbaeace279467
Requested by: @haritamar

Summary by CodeRabbit

• Chores
  • Updated project dependencies by adding explicit version constraints for transitive packages. This ensures reproducible builds and consistent dependency resolution across development and production environments, enhancing overall system reliability.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment, CI, and merge conflict monitoring

[linear]

CORE-1048

[github-actions]

👋 @haritamar
Thank you for raising your pull request.
Please make sure to add tests and document all user-facing changes.
You can do this by editing the docs files in this pull request.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 59ebea01-c5d2-4bad-9835-66d45ec984e8

📥 Commits

Reviewing files that changed from the base of the PR and between 9cc84dd and 1bc9fff.

📒 Files selected for processing (1)

• pyproject.toml

---

📝 Walkthrough

Walkthrough

Two transitive dependencies, msgpack and cryptography, are explicitly added to pyproject.toml with minimum version lower bounds. Each entry includes an inline comment identifying it as a transitive dependency pinned to address a specific security advisory.

Changes

Security Dependency Pins

Layer / File(s)	Summary
Pin msgpack and cryptography for security advisories pyproject.toml	Adds explicit Poetry entries for msgpack and cryptography with version lower bounds; each is annotated as a transitive dependency pinned to resolve a specific security advisory.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• elementary-data/elementary#2239: Also modifies pyproject.toml to pin transitive dependencies for security fixes, using the same pattern of adding version-bounded entries with security advisory comments.

Suggested reviewers

• NoyaArie
• arbiv
• elazarlachkar

Poem

🐇 Two packages now pinned with care,
msgpack and cryptography safe there,
Security advisories, beware!
The rabbit sealed the versions tight,
No vulnerabilities in sight! 🔒

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: pinning minimum versions for two dependencies to address security vulnerabilities, with explicit reference to the ticket number and purpose.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch core-1048-pin-minimum-versions-for-transitive-security-deps-in

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}