chore: bump cryptography and pillow for security fixes

[johnnygreco]

Summary

• Bump cryptography 46.0.3 → 46.0.5 (transitive dependency, lock file only)
• Bump Pillow 12.1.0 → 12.1.1 (lower bound updated in pyproject.toml)

Addresses vulnerabilities flagged in the Feb 26, 2026 dependency scan.

Note: pytest 9.0.2 was also flagged (CVE-2025-71176, medium severity), but 9.0.2 is the latest release and no patched version is available yet. Since pytest is a dev-only dependency, the risk is limited to developer machines and CI.

[greptile-apps]

Greptile Summary

This PR is a routine security dependency bump that addresses vulnerabilities identified in the Feb 26, 2026 dependency scan — Pillow is bumped from 12.1.0 → 12.1.1 (patch in lock file, lower bound tightened in pyproject.toml) and cryptography is bumped from 46.0.3 → 46.0.5 (lock file only, transitive dep).

• packages/data-designer-config/pyproject.toml: Pillow lower bound updated from >=12.0.0 to >=12.1.1 to ensure only the patched version is resolved.
• uv.lock: cryptography pinned to 46.0.5, Pillow pinned to 12.1.1; lock file revision incremented to 3. All wheel/sdist hashes appear well-formed.
• The PR description correctly notes that pytest 9.0.2 (CVE-2025-71176) cannot be patched yet since 9.0.2 is the latest release; risk is scoped to dev/CI environments only.

Confidence Score: 5/5

• This PR is safe to merge — changes are minimal, well-scoped security patches with no API or behavioral changes.
• Both updates are patch-level releases with no breaking changes. The pyproject.toml lower-bound tightening is consistent with the resolved version in the lock file. No logic changes, only dependency version bumps.
• No files require special attention.

Important Files Changed

Filename	Overview
packages/data-designer-config/pyproject.toml	Pillow lower bound bumped from >=12.0.0 to >=12.1.1 to enforce the patched version; no other changes.
uv.lock	Lock file updated: cryptography 46.0.3 → 46.0.5 and Pillow 12.1.0 → 12.1.1, with revision bumped from 2 to 3; hashes look well-formed.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Feb 26 2026 Dependency Scan] --> B{Vulnerabilities found}
    B --> C[Pillow 12.1.0\nCVE patched in 12.1.1]
    B --> D[cryptography 46.0.3\nCVE patched in 46.0.5]
    B --> E[pytest 9.0.2\nCVE-2025-71176 - no fix yet]
    C --> F[pyproject.toml\npillow >=12.1.1]
    C --> G[uv.lock\npillow 12.1.1]
    D --> G
    E --> H[Deferred - dev only\nlimited risk]
    F --> I[PR #364 merged]
    G --> I

Loading

_{Last reviewed commit: 016b257}

[andreatgretel]

LGTM -- clean security bump for cryptography (46.0.3 → 46.0.5) and pillow (12.1.0 → 12.1.1). Only pyproject.toml lower bound change + lock file hash churn. No logic changes.