chore(deps): bump python-dotenv to 1.2.2 in test-crewai (#400)

## Summary
- Closes Dependabot alert #115 (`python-dotenv` <1.2.2, CVE-2026-28684 —
symlink-following in `set_key`).
- Bumps the `test-crewai` group's `litellm` pin from `1.83.10` →
`1.83.14`. The older litellm hard-pins `python-dotenv==1.0.1`; the newer
one pins `python-dotenv==1.2.2`. That was the only path forcing the
vulnerable 1.0.1 into the lock's conflict-group resolution.
- After the bump, `uv lock` resolves `python-dotenv` to a single version
(1.2.2). As a side effect, `aiohttp` also moves 3.13.3 → 3.13.4, which
clears 10 aiohttp CVEs (#105–#114).

## Why this is the right knob
The CVE is in `python-dotenv`'s `set_key()` / `unset_key()`
(symlink-following on cross-device rename fallback). `braintrust` only
calls `load_dotenv()` (`py/src/braintrust/cli/eval.py:279`), so end
users are not exploitable through the SDK regardless of the lock state.
This PR exists purely to silence the Dependabot alert by purging the
vulnerable version from the test-crewai resolution.

## Test plan
- [x] `uv lock` resolves cleanly.
- [x] `nox -s "test_crewai(latest)"` collects 17 tests (no install
errors after the litellm bump).
- [ ] CI green on the full matrix.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Abhijeet Prasad <abhijeet@braintrustdata.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

Author: 3 people

py/pyproject.toml

@@ -160,8 +160,10 @@ test-langchain = [
 test-crewai = [
     {include-group = "test"},
     # CrewAI's no-network smoke test forces the LiteLLM fallback path via
-    # ``is_litellm=True`` + ``mock_response``.
-    "litellm==1.83.10",
+    # ``is_litellm=True`` + ``mock_response``. Bumped to 1.83.14 so the
+    # transitive python-dotenv lands on 1.2.2 (CVE-2026-28684) instead of
+    # the 1.0.1 that older litellm hard-pins.
+    "litellm==1.83.14",
 ]
 
 test-llamaindex = [