fix: upgrade marvin>=3.2.0 to fix contact-extractor crash

[pdettori]

Summary

• Upgrade marvin>=3.2.0 in a2a/a2a_contact_extractor/pyproject.toml (3.0.x/3.1.x incompatible with pydantic-ai>=1.56)
• Pin CVE-affected indirect deps: fastmcp>=3.2.0, anthropic>=0.87.0, aiohttp>=3.13.4
• Add dependabot ignore for marvin major bumps (require manual testing)
• uv.lock updated: marvin 3.1.1 → 3.2.7, fastmcp 3.1.1 → 3.2.0, anthropic 0.86.0 → 0.88.0, aiohttp 3.13.3 → 3.13.5

Root Cause

AttributeError: 'Agent' object has no attribute '_deprecated_result_tool_name'
  File "marvin/engine/streaming.py", line 90, in handle_agentlet_events

The pydantic-ai>=1.56.0 CVE pin (CVE-2026-25580) pulled in pydantic-ai 1.71.0, which removed _deprecated_result_tool_name from the Agent class. Marvin 3.0.x/3.1.x still referenced this attribute, causing AttributeError on every run_async() call with union result_type. Marvin 3.2.0+ is compatible.

CVEs Fixed

Package	CVE	Severity
fastmcp	CVE-2026-32871	Critical
fastmcp	CVE-2026-27124	High
fastmcp	CVE-2025-64340	Medium
anthropic	CVE-2026-34452, CVE-2026-34450	Medium
aiohttp	CVE-2026-34525, CVE-2026-34516, CVE-2026-34515, CVE-2026-22815	Medium
aiohttp	6 additional CVEs	Low

Test plan

• Rebuilt contact-extractor image in Kind cluster with marvin 3.2.7
• Sent contact extraction request — successful extraction, no AttributeError
• Verified agent card endpoint works
• Verified all bumped package versions in running pod

Assisted-By: Claude (Anthropic AI) noreply@anthropic.com

[cwiklik]

Review Summary

The code changes are solid — upgrading marvin to >=3.2.0 for pydantic-ai compatibility, pinning CVE-affected indirect deps (fastmcp>=3.2.0, anthropic>=0.87.0, aiohttp>=3.13.4), and configuring dependabot to avoid risky auto-upgrades. All 3 commits signed-off with proper Assisted-By trailer. All 11 CI checks passing.

Areas reviewed: Python (deps), YAML (dependabot), Security (CVEs), Commit conventions
Commits: 3 commits, all signed-off: ✅
CI status: all 11 checks passing ✅

Must-fix

PR title and description are stale and contradict the actual changes:

• Title says fix: pin marvin<3.1.0 to fix contact-extractor crash — but the actual constraint is marvin>=3.2.0
• Body says marvin 3.1.1 → 3.0.6 — but the lockfile shows marvin 3.1.1 → 3.2.7
• Body says Pin marvin>=3.0.0,<3.1.0 — but pyproject.toml shows marvin>=3.2.0

The PR title becomes permanent git history (squash/merge commit). Please update to match the actual change, e.g.:

• Title: fix: upgrade marvin>=3.2.0 to fix contact-extractor crash
• Body: Update the summary bullets and uv.lock line to reflect the upgrade

Highlights

• Good approach pinning CVE-affected indirect deps as direct constraints with clear comments
• Smart dependabot ignore for marvin major bumps given the pydantic-ai compatibility sensitivity
• Clean commit structure — each commit addresses a distinct concern (marvin fix, CVE bumps, dependabot config)

[esnible]

This looks good.

We need to be able to tell if version changes break the examples. Thus we need tests for them. I created CI to make sure the Dockerfiles build and the servers are able to start.

I did not create CI that verifies if the servers actually serve traffic. Perhaps this is needed? Perhaps we should test each example by sending it A2A or MCP traffic?

[cwiklik]

Review Summary

Previous review's must-fix (stale PR title/description) has been addressed. Title and body now accurately describe the upgrade to marvin>=3.2.0 with CVE-affected indirect dep pins. Code is unchanged and CI remains green.

Areas reviewed: Python (deps), YAML (dependabot), Security (CVEs), Commit conventions
Commits: 3 commits, all signed-off: ✅
CI status: all 11 checks passing ✅

No remaining issues — good to merge.