chore(deps): bump minimum versions for aiohttp, python-dotenv, and Py…

[curfew-marathon]

Raises the minimum allowed versions to exclude known vulnerable releases:

• aiohttp: >=3.9.3 -> >=3.13.4 (fixes 18 CVEs across HTTP parsing, DoS, and header injection)
• python-dotenv: >=1 -> >=1.2.2 (CVE-2026-28684, symlink following)
• Pygments: uv.lock updated to >=2.20.0 (CVE-2026-4539, ReDoS)

Summary by CodeRabbit

• Chores
  • Updated project dependencies to ensure improved compatibility and stability.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5ae0d7aa-22ed-481a-9155-3a175d5f1f3e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

Dependency version constraints updated across multiple configuration files: aiohttp minimum version incremented from 3.9.3/3.12.15 to 3.13.4, and python-dotenv minimum version raised from >= 1 to >= 1.2.2, while maintaining existing upper bound constraints.

Changes

Cohort / File(s)	Summary
Example Directory Dependencies example/example1/requirements.txt, example/opentelemetry/requirements.txt	Updated python-dotenv minimum version from >= 1 to >= 1.2.2. Additionally, example/example1/requirements.txt updated aiohttp from >= 3.12.15 to >= 3.13.4.
Root Project Configuration pyproject.toml	Updated aiohttp dependency constraint from >=3.9.3 to >=3.13.4.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested labels

dependencies

Suggested reviewers

• rhamzeh

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: bumping minimum versions for aiohttp, python-dotenv dependencies to address security vulnerabilities, which aligns with the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/bump-vulnerable-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.91%. Comparing base (fbcdaac) to head (ceb1ce3).

❌ Your project status has failed because the head coverage (69.91%) is below the target coverage (80.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #279   +/-   ##
=======================================
  Coverage   69.91%   69.91%           
=======================================
  Files         140      140           
  Lines       10764    10764           
=======================================
  Hits         7526     7526           
  Misses       3238     3238           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

🧹 Nitpick comments (1)

pyproject.toml (1)

38-38: Add an upper bound for aiohttp to prevent accidental major-version breakage.

Line 38 currently allows any future aiohttp major release. The example files constrain aiohttp to <4, and documented breaking changes exist between 3.x and 4.x. For consistency and to reduce upgrade risk for SDK consumers, align pyproject.toml with the same constraint used in examples.

Suggested constraint alignment

-    "aiohttp>=3.13.4",
+    "aiohttp>=3.13.4,<4",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pyproject.toml` at line 38, Update the aiohttp dependency constraint to
prevent accidental major-version upgrades by replacing the loose spec
"aiohttp>=3.13.4" with a bounded spec such as "aiohttp>=3.13.4,<4" so the
project stays on compatible 3.x releases; locate and edit the dependency entry
string "aiohttp>=3.13.4" in pyproject.toml and apply the new constraint.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pyproject.toml`:
- Line 38: Update the aiohttp dependency constraint to prevent accidental
major-version upgrades by replacing the loose spec "aiohttp>=3.13.4" with a
bounded spec such as "aiohttp>=3.13.4,<4" so the project stays on compatible 3.x
releases; locate and edit the dependency entry string "aiohttp>=3.13.4" in
pyproject.toml and apply the new constraint.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cf43a2e4-5f77-4ecd-9ea5-751a752e065f

📥 Commits

Reviewing files that changed from the base of the PR and between ed02a22 and bc0b3c6.

📒 Files selected for processing (3)

• example/example1/requirements.txt
• example/opentelemetry/requirements.txt
• pyproject.toml

[Copilot]

Pull request overview

This PR raises minimum dependency versions to avoid known vulnerable releases, aligning the SDK and example requirements with newer, presumably patched versions.

Changes:

• Bump aiohttp minimum version in pyproject.toml to >=3.13.4.
• Bump python-dotenv minimum version in example requirements to >=1.2.2.
• Update example dependency sets to reflect the new minimums.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
pyproject.toml	Raises the SDK runtime dependency floor for aiohttp.
example/opentelemetry/requirements.txt	Raises the example’s python-dotenv floor to a patched version.
example/example1/requirements.txt	Updates example pins for aiohttp and python-dotenv to newer minimums.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The repo uses uv sync (see Makefile), but uv.lock is currently inconsistent with this new aiohttp>=3.13.4 requirement: it still lists aiohttp with specifier >=3.9.3 in the openfga-sdk package metadata. Please regenerate/update uv.lock after bumping the minimum version so the lock metadata matches the published requirements.

[Copilot]

PR description mentions bumping Pygments in uv.lock to >=2.20.0, but the current uv.lock still contains pygments version 2.19.2. Either update the lockfile to the intended fixed version (and include it in this PR) or adjust the PR description so it matches what’s actually being changed.

[SoulPancake]

Oops, Sorry for merging another PR and introducing conflicts in this one