security: address CVE-2025-53000 and CVE-2026-21441

noxfile.py

@@ -157,7 +157,7 @@ def audit(session: nox.Session) -> None:
             "--ignore-vuln",
             "GHSA-4xh5-x5gv-qwph",  # https://pyinstaller.org/en/stable/license.html
             "--ignore-vuln",
-            "GHSA-xm59-rqc7-hhvf",  # nbconvert CVE-2025-53000: no fix available
+            "CVE-2025-53000",  # no fix available
         )
     except CommandFailed:
         _format_json_with_jq(session, "reports/vulnerabilities.json")

pyproject.toml

@@ -123,7 +123,7 @@ dependencies = [
     "tenacity>=9.1.2,<10",
     "tqdm>=4.67.1,<5",
     "truststore>=0.10.4,<1",
-    "urllib3>=2.6.1,<3",
+    "urllib3>=2.6.3,<3", # CVE-2026-21441 requires >= 2.6.3
     "wsidicom>=0.28.1,<1",
     # Transitive overrides
     # WARNING: one cannot negate or downgrade a dependency required here. use override-dependencies for that.