chore: resolve open dependabot security alerts

[jonathannorris]

Summary

• Resolved 12 open Dependabot security alerts by bumping vulnerable transitive dependencies in uv.lock.
• Bumped aiohttp to 3.14.1 (resolves 11 alerts, chore: add CODEOWNERS #34-ModuleNotFoundError when importing flagd provider #44).
• Bumped cryptography to 49.0.0 (resolves 1 high-severity alert, fix: include proto file in build for openfeature-provider-flagd #45).
• Bumped grpcio to 1.81.1 to keep the locked runtime in step with the generated grpc stubs (the build generates code with grpcio-tools >= 1.81.1, which the previously-pinned grpcio 1.81.0 runtime rejected at import time, breaking the flagd provider test job).

All three are transitive dependencies. aiohttp and grpcio come in via the provider packages; cryptography via moto in openfeature-provider-aws-ssm's dev group. The lockfile was regenerated with uv lock --upgrade-package <pkg>. Verified build, mypy, and the affected package test suites on the patched versions.

Dependabot Alerts Resolved

Alert	Package	Severity	Fix
#34	aiohttp	medium	Bumped to 3.14.1 (Deserialization of Untrusted Data)
#35	aiohttp	medium	Bumped to 3.14.1 (cross-origin redirect with per-request cookies)
#36	aiohttp	low	Bumped to 3.14.1 (host-only cookies become domain cookies)
#37	aiohttp	low	Bumped to 3.14.1 (CRLF injection in multipart headers)
#38	aiohttp	medium	Bumped to 3.14.1 (unread compressed bodies bypass client_max_size)
#39	aiohttp	low	Bumped to 3.14.1 (payload resources not closed after mid-body disconnect)
#40	aiohttp	medium	Bumped to 3.14.1 (DigestAuthMiddleware leaks creds on cross-origin redirect)
#41	aiohttp	medium	Bumped to 3.14.1 (HTTP/1 pipelined requests queue without limit)
#42	aiohttp	medium	Bumped to 3.14.1 (incomplete websocket frames bypass memory limits)
#43	aiohttp	low	Bumped to 3.14.1 (TLS hostname override ignored on reused connections)
#44	aiohttp	medium	Bumped to 3.14.1 (C HTTP parser bypasses max_line_size)
#45	cryptography	high	Bumped to 49.0.0 (vulnerable OpenSSL in cryptography wheels)

[gemini-code-assist]

Code Review

This pull request updates dependencies in the uv.lock file, upgrading aiohttp from 3.13.5 to 3.14.1 along with its corresponding wheels and a conditional dependency on typing-extensions. Additionally, openfeature-provider-flagd is upgraded from 0.4.1 to 0.5.0. As there are no review comments, no further feedback is provided.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96.28%. Comparing base (9c493b8) to head (6f5ccc7).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #399      +/-   ##
==========================================
+ Coverage   95.62%   96.28%   +0.65%     
==========================================
  Files          24       47      +23     
  Lines        1029     1750     +721     
==========================================
+ Hits          984     1685     +701     
- Misses         45       65      +20     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 319bb8a6-4717-4af9-885f-9ead35796ce5

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}