chore: prefer older stable releases for fresh-on-pypi packages

Pin to stable older patches where the latest release is < 1 month old
and an older patch still satisfies the CVE fix:

- requests: 2.33.1 (5d old) -> 2.33.0 (32d old)
- pathspec: 1.1.0 (3d old) -> 1.0.4 (3mo old) [black 26 dep]

Pillow 12.2.0, pygments 2.20.0, and pytest 9.0.3 remain at the latest
because they ARE the CVE-mandated minimums - no older patched release
exists.

https://claude.ai/code/session_01CSENfJ5u4nVLrpBqD8npqa

Author: claude

poetry.lock

@@ -33,7 +33,7 @@ alive-progress = "^3.1.2"
 prometrix = "0.2.11"
 slack-sdk = "^3.21.3"
 pandas = "2.2.2"
-requests = ">=2.33.0"
+requests = ">=2.33.0,<2.33.1"
 pyyaml = "6.0.1"
 typing-extensions = "4.6.0"
 idna = "3.7"
@@ -46,6 +46,7 @@ tenacity = "^9.0.0"
 [tool.poetry.group.dev.dependencies]
 mypy = "^1.18.2"
 black = ">=26.3.1"
+pathspec = ">=1.0.0,<1.1.0"
 isort = "^5.12.0"
 flake8 = "^6.0.0"
 types-pyyaml = "^6.0.12.8"

pyproject.toml

@@ -37,7 +37,7 @@ pytz==2024.1 ; python_version >= "3.10" and python_full_version < "3.13"
 pyyaml==6.0.1 ; python_version >= "3.10" and python_full_version < "3.13"
 regex==2023.12.25 ; python_version >= "3.10" and python_full_version < "3.13"
 requests-oauthlib==1.4.1 ; python_version >= "3.10" and python_full_version < "3.13"
-requests==2.33.1 ; python_version >= "3.10" and python_full_version < "3.13"
+requests==2.33.0 ; python_version >= "3.10" and python_full_version < "3.13"
 rich==12.6.0 ; python_version >= "3.10" and python_full_version < "3.13"
 rsa==4.9 ; python_version >= "3.10" and python_full_version < "3.13"
 s3transfer==0.16.0 ; python_version >= "3.10" and python_full_version < "3.13"