fix: update urllib3 and sphinx dependencies to address vulnerabilities

[antonio-olleros]

Description

Bump urllib3 from 2.6.3 to 2.7.0 to address a security advisory in the older version. urllib3 is pulled in transitively via sphinx → requests → urllib3 in
the docs group. The sphinx constraint is widened so the resolver can pick up a newer urllib3.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Performance improvement
• Code refactoring
• Dependency update
• Other (please describe):

Related Issues

Closes #
Related to #

Changes Made

• Widened sphinx constraint in pyproject.toml from ^7.4.7 to >=7.4.7,<8.2 (8.2+ requires Python 3.11+, which would drop our supported 3.10).
• Re-locked sphinx 7.4.7 → 8.1.3 and urllib3 2.6.3 → 2.7.0 via targeted poetry update --lock sphinx urllib3. No other packages touched.

Testing

Tests Added

• Unit tests
• Integration tests
• Test coverage maintained or improved (no source changes; existing coverage preserved)

Testing Performed

poetry install --with docs,dev
poetry run ruff check
poetry run ruff format --check
poetry run mypy
poetry run pytest
poetry run sphinx-build -b html -W --keep-going docs /tmp/docs_build

Test results:

• All existing tests pass (950 passed)
• New tests pass (no new tests — dep-only change)
• Manual testing performed (docs build succeeds under -W with sphinx 8.1.3)

Documentation

• Updated docstrings
• Updated README.md
• Updated documentation in docs/
• Updated CHANGELOG.md (added entry under "Unreleased") (suggest adding a ### Security entry — not done in this PR)
• No documentation needed for this change

Code Quality

• Code follows the project's style guidelines (Ruff)
• Ran ruff check and ruff format
• Ran mypy type checking
• Self-review of code completed
• Comments added for complex/non-obvious code (N/A)
• No new warnings generated

Breaking Changes

N/A — urllib3 and sphinx are docs-group dependencies only and are not exposed to end users. End users installing eba-xbridge from PyPI get only the
runtime dependencies (pandas, lxml, numpy); poetry groups are not published as extras.

Impact: None for end users. Contributors who run poetry install --with docs will get sphinx 8.1.3 and urllib3 2.7.0.

Migration guide: N/A.

Screenshots (if applicable)

N/A

Checklist

• My code follows the project's code style
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (none required)
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works (N/A — dep-only)
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published
• I have updated the CHANGELOG.md

Additional Notes

A blanket poetry update --lock would have churned ~25 packages; using poetry update --lock sphinx urllib3 keeps the lock-file diff to exactly the two
intended bumps (17 insertions, 17 deletions in poetry.lock).

sphinx was capped at <8.2 to preserve Python 3.10 support: sphinx 8.2+ requires Python >=3.11, sphinx 9.x requires >=3.12.

Reviewer Notes

Areas to focus on:

• Whether the sphinx upper bound <8.2 is acceptable, or if we'd rather drop Python 3.10 support and go higher.
• Whether a CHANGELOG ### Security entry under [Unreleased] should be added before merge.

Questions for reviewers:

• Should this also be backported to the 2.0.x line, or is main-only fine given the dep is docs-only?