fix(deps): bump CVE-affected deps [VC-53657, VC-53626]

[ndevarapalli-panw]

Fixes CVEs in cryptography (→ 48.0.1) and pynacl (→ 1.6.2) across both the lockfile and setup.py, so published packages are protected too.
Also bumps pytest, pytest-cov, bandit, python-dateutil, and ruamel.yaml to their latest Python 3.9-compatible releases.

Replaces EOL safety 2.x with pip-audit - same OSV data source, no account required.

Also fixes a latent Python 2 idiom (e.message → str(e)) in pem.py that would mask key-parsing errors on Python 3.

Some CVEs require Python ≥3.10 and are deferred - details in Jira VC-53657. All lockfiles regenerated via make lock on python:3.9.

Test plan

• bandit - clean
• pip-audit - deferred findings only (documented in Jira)
• pytest tests/test_local_methods.py - 35/35 pass
• Integration tests against live TPP/VaaS

[rvelaVenafi]

My take here is that you guys are no longer supporting python 2?

[ndevarapalli-panw]

Yes

[rvelaVenafi]

how is docker-entrypoint.sh being rung in line 13 if its not being copied to the docker coantainer?

[ndevarapalli-panw]

It is being copied, COPY . . on line 11 copies the entire repo root into /usr/src/app, which includes docker-entrypoint.sh. The explicit COPY docker-entrypoint.sh ./ that was in the original Dockerfile was removed because it was a redundant layer COPY . . already covers it.

requirements-build.txt is still copied separately and early (line 8) for Docker layer caching so that the pip install step only re-runs when the lockfile changes, not on every source code change.

[rvelaVenafi]

Left comments

[ndevarapalli-panw]

Added setup.py range constraints in the third commit to address VC-53626 alongside this fix, since we are already modifying the file.

install_requires converted from exact == pins to >=floor with ceilings only where the upstream library has a history of breaking API changes between majors (cryptography, ruamel.yaml). Minimum versions are identical to the CVE-safe pins already under review. Also added python_requires='>=3.9.2,<4' which was previously absent.