chore(deps): cryptography 48 + 3 patches; cap protobuf<7 and starlette<1 (consolidates #34/#58/#61/#62; defers #59/#60)

.github/workflows/dependency-audit.yml

@@ -32,7 +32,7 @@ jobs:
           python-version: "3.11"
 
       - name: Install uv
-        uses: astral-sh/setup-uv@94527f2e458b27549849d47d273a16bec83a01e9  # v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78  # v7
 
       - name: Install audit tools
         run: pip install pip-audit==2.9.0

.github/workflows/test.yml

@@ -22,7 +22,7 @@ jobs:
           python-version: "3.12"
 
       - name: Install uv
-        uses: astral-sh/setup-uv@94527f2e458b27549849d47d273a16bec83a01e9  # v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78  # v7
 
       - name: Run tests
         run: uv run pytest tests/ -v

.github/workflows/update-lockfile.yml

@@ -22,7 +22,7 @@ jobs:
           python-version: "3.11"
 
       - name: Install uv
-        uses: astral-sh/setup-uv@94527f2e458b27549849d47d273a16bec83a01e9  # v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78  # v7
 
       - name: Regenerate requirements.lock
         run: uv pip compile requirements.txt -o requirements.lock --generate-hashes

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "coda"
-version = "0.18.2"
+version = "0.18.3"
 description = "CoDA - Coding Agents on Databricks Apps"
 requires-python = ">=3.10"
 dependencies = [
@@ -11,16 +11,28 @@ dependencies = [
     "databricks-sdk>=0.106.0",
     "mlflow-skinny==3.12.0",
     "requests",
-    "cryptography>=46.0.7",
+    "cryptography>=48.0.0",
     # Security floors — make CVE-driven minimums explicit so future resolves
     # can't silently downgrade. See PR description for advisory IDs.
     "gitpython>=3.1.49",
-    "python-multipart>=0.0.27",
+    "python-multipart>=0.0.29",
     # Upper bound is forced by our transitive ecosystem: both mlflow-skinny 3.11.x
     # AND opentelemetry-api 1.41.x cap importlib-metadata<8.8. Dependabot tried
     # to bump it to 9.0.0 (PR #3) and broke every deploy — explicit ceiling so
     # the bot won't try again until upstream widens its caps.
     "importlib-metadata<8.8",
+    # Upper bound is forced by databricks-sdk: 0.106.0 declares
+    # `protobuf!=5.26.*,...,<7.0,>=4.25.8`. Dependabot tried to bump to
+    # protobuf 7.34.1 (PR #60) and broke `pip install -r requirements.txt`.
+    # Explicit ceiling so the bot won't try again until databricks-sdk lifts
+    # its <7.0 cap.
+    "protobuf<7",
+    # Upper bound is forced by mlflow-skinny: 3.12.0 declares `starlette<1`.
+    # Dependabot tried to bump to starlette 1.0.0 (PR #59) — the pin worked
+    # with `uv pip sync` but `uv pip compile pyproject.toml` rejected it via
+    # mlflow-skinny's transitive cap. Explicit ceiling so the bot won't try
+    # again until mlflow-skinny lifts its <1 cap.
+    "starlette<1",
 ]
 
 [dependency-groups]

requirements.txt

@@ -42,7 +42,7 @@ click==8.3.3
     #   uvicorn
 cloudpickle==3.1.2
     # via mlflow-skinny
-cryptography==46.0.7
+cryptography==48.0.0
     # via
     #   coda (pyproject.toml)
     #   google-auth
@@ -122,6 +122,7 @@ packaging==26.2
     # via mlflow-skinny
 protobuf==6.33.6
     # via
+    #   coda (pyproject.toml)
     #   databricks-sdk
     #   mlflow-skinny
     #   opentelemetry-proto
@@ -139,7 +140,7 @@ pydantic==2.13.3
     #   pydantic-settings
 pydantic-core==2.46.3
     # via pydantic
-pydantic-settings==2.14.0
+pydantic-settings==2.14.1
     # via mcp
 pyjwt==2.12.1
     # via mcp
@@ -149,7 +150,7 @@ python-dotenv==1.2.2
     #   pydantic-settings
 python-engineio==4.13.1
     # via python-socketio
-python-multipart==0.0.27
+python-multipart==0.0.29
     # via
     #   coda (pyproject.toml)
     #   mcp
@@ -182,6 +183,7 @@ sse-starlette==3.3.4
     # via mcp
 starlette==0.52.1
     # via
+    #   coda (pyproject.toml)
     #   fastapi
     #   mcp
     #   mlflow-skinny