📊 Bump dependabot deps

[Marigold]

Summary

Consolidates 15 open Dependabot PRs into a single lockfile-only update — all transitive (or already constraint-satisfied) bumps, no pyproject.toml/package.json changes.

pip (uv.lock)

Package	Old	New	Scope
requests	2.33.1	2.34.0	top + lib/catalog + lib/datautils
cryptography	46.0.5	48.0.0	lib/catalog + lib/datautils
pygments	2.19.2	2.20.0	lib/catalog + lib/datautils + lib/repack
pyopenssl	26.0.0	26.2.0	transitive (catalog + datautils)

npm (package-lock.json)

Package	Old	New	Scope
picomatch	2.3.1 → 2.3.2, 4.0.3 → 4.0.4		find-latest-etl-step, clickable-dag-steps, dod-syntax (CVE-2026-33671/33672)
lodash	4.17.23	4.18.1	find-latest-etl-step
flatted	3.3.3	3.4.2	clickable-dag-steps, find-latest-etl-step
minimatch	3.1.2	3.1.5	compare-previous-version

Closes #6061 #5948 #5908 #5905 #5903 #5860 #5858 #5843 #5839 #5832 #5831 #5830 #5820 #5819 #5782.

Test plan

• make check-all (lint, format, typecheck across root + every lib/) ✓

[owidbot]

Quick links (staging server):

Site Dev	Site Preview	Admin	Wizard	Docs

Login: ssh owid@staging-site-data-bump-dependabot-deps

chart-diff: ✅

No charts for review.

data-diff: ✅ No differences found

Automatically updated datasets matching excess_mortality|covid|fluid|flunet|country_profile|garden/ihme_gbd/2019/gbd_risk are not included

Edited: 2026-05-15 07:19:39 UTC
Execution time: 7.98 seconds

[Marigold]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Breezy!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".