Fix two high-severity urllib3 vulnerabilities introduced transitively via requests.
- Pin
urllib3 >= 2.7.0in pyproject.toml + poetry.lock (was 2.6.3) - CVE-2026-44432 — Decompression Bomb (CVSS 8.9, SNYK-PYTHON-URLLIB3-16642059)
- CVE-2026-44431 — Insertion of Sensitive Information Into Sent Data on cross-origin redirects (CVSS 8.2, SNYK-PYTHON-URLLIB3-16642024)