chore(deps): pytest 9 + urllib3 2.7 + dependabot config

[stuartc]

Short Description

Bumps pytest (8.4.2 → 9.0.3) and urllib3 (2.6.3 → 2.7.0), and adds a .github/dependabot.yml so updates start coming through as PRs instead of just silent alerts.

Closes Dependabot alerts: urllib3 #32, #43, #44, #57, #99; pytest #91, #96.

Implementation Details

Two low-risk bumps:

• pytest 9 — clean major bump. Our tests don't use the third-party pytest plugins that usually cause friction on a pytest major (no asyncio/socket/benchmark markers anywhere), so nothing in the test code needed touching.
• urllib3 2.7.0 — the pinecone PR below this one (chore(deps): upgrade pinecone 7 + aiohttp 3.14 to close transitive HTTP CVEs #512) already dropped the old PyPy-marked 1.26.20 lock entry, which on its own cleared Move important code out of util #32/Don't include node in the the docker image #43/New Server #44/Bump tqdm from 4.66.2 to 4.66.3 #57 (all fixed by 2.6.3). This just takes it the last step to 2.7.0 to close Search: optimize embeddings chunks #99 (the cross-origin header leak in proxied redirects).

The new dependabot.yml covers both pip (our Poetry deps) and github-actions, weekly, with minor/patch grouped into a single PR per ecosystem so it doesn't get noisy.

Only pytest and urllib3 moved in the lock — pinecone/aiohttp/langchain all held firm. Unit suite is 9/9 on pytest 9.

This is PR 2 of 3 in a stack — base is deps/pinecone-aiohttp (#512), and #514 builds on top of this. Merge order: #512 → this → #514.

AI Usage

Please disclose how you've used AI in this work (it's cool, we just want to know!):

• Code generation (copilot but not intellisense)
• Learning or fact checking
• Strategy / design
• Optimisation / refactoring
• Translation / spellchecking / doc gen
• Other
• I have not used AI

Put together with Claude Code — agent workflows did the bumps, the dependabot config, and the test run.

You can read more details in our Responsible AI Policy

[josephjclark]

Done in release 1.3.0