chore(deps): bump deps and drop EOL Python versions

[Dhawal (dgawande12)]

Description

Addresses 9 HIGH and MEDIUM security CVEs across core dependencies. Drops support
for Python 3.8 and 3.9 — both end-of-life and the root blocker for patching these CVEs.

⚠️ Breaking change: Python 3.8 and 3.9 are no longer supported.
Users must upgrade to Python 3.10+ before upgrading to v3.0.0.

---

Why Python 3.10 is the minimum required to fix these CVEs

Several CVEs cannot be patched on Python 3.8 or 3.9 - not due to a code change, but
because the patched versions of the dependencies themselves require Python 3.10+:

• requests 2.33.0 (fixes 4 CVEs) requires Python ≥ 3.10
• urllib3 2.6.3 (fixes 3 HIGH CVEs) is only reachable via requests 2.33.0

Staying on Python 3.8/3.9 means these CVEs cannot be resolved regardless of any
other change made to this library.

---

Security Fixes

Package	Change	Min Python to fix	CVEs Fixed	Severity
joserfc	>=0.9,<1.3 → >=1.6.3,<2.0	3.9+	CVE-2026-27932	🔴 HIGH
requests	^2.28.2 → ^2.33.0	3.10+	CVE-2023-32681, CVE-2024-35195, CVE-2024-47081, CVE-2026-25645	🟡 MEDIUM ×4
urllib3	2.2.3 → 2.6.3 (transitive via requests)	3.10+	CVE-2025-66418, CVE-2025-66471, CVE-2026-21441, CVE-2025-50181, CVE-2025-50182	🔴 HIGH ×3 + 🟡 MEDIUM ×2
cryptography	43.0.3 → 48.0.0 (transitive)	3.9+	CVE-2026-26007, CVE-2024-12797, CVE-2026-34073	🔴 HIGH + LOW ×2
black	^24.8.0 → ^26.3.1 (dev only, not shipped)	any	CVE-2026-32274	🔴 HIGH

---

User Impact

Fixes #144

	Impact
Python 3.10, 3.11, 3.12, 3.13	✅ Drop-in upgrade — no API changes
Python 3.8 or 3.9	⛔ Upgrade to v3.0.0 blocked. Please upgrade Python first

No changes to any public API. ConfidentialClient, get_access_token(), config format,
proxy, SSL, and retry options are all identical.

---

Checklist

Ensure the following things have been met before requesting a review:

• Follows all project developer guide and coding standards.
• Tests have been written for the change, when applicable.
• Confidential information (credentials, auth tokens, etc...) is not included.

[Rico (RicoFactset)]

Checkmarx One – Scan Summary & Details – 1670534b-f70d-4563-836e-4c89254537b2

---

Fixed Issues (6)

High: 3 · Medium: 3

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CVE-2025-66418	Python-urllib3-2.2.2
	CVE-2025-66471	Python-urllib3-2.2.2
	CVE-2026-21441	Python-urllib3-2.2.2
	CVE-2024-12797	Python-cryptography-42.0.6
	CVE-2025-50181	Python-urllib3-2.2.2
	CVE-2025-50182	Python-urllib3-2.2.2

---

Use Checkmarx (@Checkmarx) to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR