fix: pin idna>=3.15 to address medium Dependabot alert (SSRF via malformed Unicode)

[devin-ai-integration]

Summary

Pin idna>=3.15,<4 as a direct dependency to address medium-severity Dependabot alert CVE-2025-46816 — SSRF via malformed Unicode in URL processing.

idna is a transitive dependency via requests. Without this pin, downstream users could resolve a vulnerable version (<3.15). The constraint >=3.15,<4 is compatible with requests's own idna>=2.5,<4 requirement.

Review & Testing Checklist for Human

• Verify no downstream dependency conflicts (all dbt adapters still install cleanly with idna>=3.15)

Notes

• This is a library (no lockfile), so the constraint takes effect when users install elementary-data
• Linear ticket: https://linear.app/elementary/issue/CORE-863

Link to Devin session: https://app.devin.ai/sessions/3b77f05e8d024412af5fbeed3713803d
Requested by: @NoyaArie

Summary by CodeRabbit

• Chores
  • Updated project dependencies for enhanced compatibility.

[linear]

CORE-863

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[github-actions]

👋 @devin-ai-integration[bot]
Thank you for raising your pull request.
Please make sure to add tests and document all user-facing changes.
You can do this by editing the docs files in this pull request.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fec329b0-94f8-424b-ac6f-4a425aef6c59

📥 Commits

Reviewing files that changed from the base of the PR and between 5d08a08 and 7345ce4.

📒 Files selected for processing (1)

• pyproject.toml

---

📝 Walkthrough

Walkthrough

The PR adds idna as a direct dependency to the project with a version constraint of >=3.15,<4 in the Poetry configuration file.

Changes

Dependency Management

Layer / File(s)	Summary
Add idna dependency pyproject.toml	The idna library is added to [tool.poetry.dependencies] with version constraint >=3.15,<4.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A dash of idna, oh so fine,
Unicode strings will now align,
Constraints so tight, a versioned friend,
On which our dependencies depend! 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: pinning idna>=3.15 to address a Dependabot security alert (SSRF vulnerability), which directly matches the single-line dependency addition in pyproject.toml.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch core-863-fix-idna-dependabot-alert

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}