Update dependencies to resolve security findings

[johan-j]

Issue:

• https://github.com/github/vuln-mgmt/issues/180510

Update direct dependencies to resolve security findings

Bumps all direct dependencies to their latest compatible versions, which pulls in patched transitive dependencies that address the open security findings.

Direct dependency changes

Package	Old	New
azure-ai-evaluation	~=1.13.7	~=1.15.3
openai	~=2.14.0	~=2.26.0
python-dotenv	~=1.0.1	~=1.2.2
ipykernel	~=6.29.5	~=7.2.0
promptflow-devkit	~=1.18.2	~=1.18.3
starlette	~=0.49.1	~=0.49.3

Unchanged (already at latest compatible):

• azure-ai-inference~=1.0.0b9 — no newer release available
• mistralai~=0.4.2 — latest is 2.x which is a breaking API change; not in scope for security findings
• urllib3~=2.6.3 — already at latest

Security findings resolved

Criticality	Package	Required	Resolved
moderate	azure-core	≥ 1.38.0	1.38.2
moderate	nltk	≥ 3.9.3	3.9.3
low	filelock	≥ 3.20.3	3.25.1
low	protobuf	≥ 6.33.5	6.33.5
low	pillow	≥ 12.1.1	12.1.1
low	werkzeug	≥ 3.1.6	3.1.6
low	cryptography	≥ 46.0.5	46.0.5
low	flask	≥ 3.1.3	3.1.3

Verification

• pip install --dry-run confirms dependency resolution succeeds with no conflicts
• All 9 security findings (across 8 packages) resolve to patched versions via transitive dependencies — no explicit pins needed

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[megan-arellano]

Niiiice