fix(deps): resolve 13 Dependabot security alerts

[jeremyeder]

Summary

• Bump next 16.2.2 → 16.2.3 — fixes DoS via Server Components (alert remove duplicate AutoPushOnComplete #173)
• Bump aiohttp ≥3.13.3 → ≥3.13.4 — fixes 9 CVEs: header injection, SSRF, DoS, credential leak, CRLF injection (alerts fix of permissions #149–158)
• Bump cryptography 46.0.5 → 46.0.7 (transitive) — fixes buffer overflow (alert Jira backend refactor #172)
• Bump lupa 2.6 → 2.7 (transitive) — fixes sandbox escape / RCE (alert click 'enter' to submit message #168)

Remaining alerts (3)

Alerts #144, #145, #146 (fastmcp 2.14.3 → 3.2.0) are blocked on upstream: mcp-atlassian 0.21.1 pins fastmcp<2.15.0,>=2.13.0. The CVEs affect fastmcp's OpenAPI provider and OAuth proxy — not in our code path, but the alerts will stay open until mcp-atlassian releases a version compatible with fastmcp 3.x.

Test plan

• Frontend: 614 tests pass (npx vitest run)
• Runner: 543 tests pass (uv run pytest tests/)
• CI passes

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores

  • Bumped frontend and runtime dependency minimums to newer patch releases.

• Refactor

  • Code formatting and parameter/layout reflows across several modules for readability.

• Tests

  • Cleaned up and reformatted unit tests, removing unused imports and improving fixture readability.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: aea36975-5fa5-4f0d-a358-3c343520ea87

📥 Commits

Reviewing files that changed from the base of the PR and between a83af40 and 9197987.

⛔ Files ignored due to path filters (2)

• components/frontend/package-lock.json is excluded by !**/package-lock.json, !**/package-lock.json
• components/runners/ambient-runner/uv.lock is excluded by !**/*.lock

📒 Files selected for processing (7)

• components/frontend/package.json
• components/runners/ambient-runner/ambient_runner/endpoints/model.py
• components/runners/ambient-runner/ambient_runner/mlflow_observability.py
• components/runners/ambient-runner/ambient_runner/observability.py
• components/runners/ambient-runner/pyproject.toml
• components/runners/ambient-runner/tests/test_mcp_config.py
• scripts/generate-loading-tips.py

✅ Files skipped from review due to trivial changes (5)

• components/frontend/package.json
• components/runners/ambient-runner/ambient_runner/endpoints/model.py
• components/runners/ambient-runner/ambient_runner/observability.py
• components/runners/ambient-runner/ambient_runner/mlflow_observability.py
• components/runners/ambient-runner/tests/test_mcp_config.py

🚧 Files skipped from review as they are similar to previous changes (1)

• components/runners/ambient-runner/pyproject.toml

---

📝 Walkthrough

Walkthrough

Multiple formatting and minor refactor changes across the ambient-runner and scripts, plus two patch dependency bumps: next from 16.2.2→16.2.3 and aiohttp constraint from >=3.13.3→>=3.13.4. No behavioral or API changes introduced.

Changes

Cohort / File(s)	Summary
Frontend Dependencies components/frontend/package.json	Bumped next from 16.2.2 to 16.2.3 (patch update).
Runner Dependencies components/runners/ambient-runner/pyproject.toml	Raised aiohttp minimum constraint from >=3.13.3 to >=3.13.4.
Ambient Runner — formatting/refactor components/runners/ambient-runner/ambient_runner/endpoints/model.py, components/runners/ambient-runner/ambient_runner/mlflow_observability.py, components/runners/ambient-runner/ambient_runner/observability.py	Signature and expression reformatting, multi-line parameter/tuple assignments, and import/alias reorderings only; no logic or API changes.
Ambient Runner — tests components/runners/ambient-runner/tests/test_mcp_config.py	Removed unused imports and reformatted test JSON fixtures to multi-line structures; test logic and assertions unchanged.
Scripts — formatting scripts/generate-loading-tips.py	Refactored function signatures and reformatted subprocess/print invocations and list literals to multi-line forms; no behavioral changes.

🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 71.43% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title follows Conventional Commits format with type(scope): description pattern and accurately describes the main change—dependency updates addressing security alerts.
Performance And Algorithmic Complexity	✅ Passed	PR introduces zero algorithmic changes. All modifications are formatting adjustments, import reordering, and dependency updates. Existing loops remain unchanged.
Security And Secret Handling	✅ Passed	Security-focused PR updates dependencies (next 16.2.3, aiohttp ≥3.13.4) addressing 13 CVEs with no hardcoded secrets, safe subprocess calls, path validation, and proper sensitive data masking.
Kubernetes Resource Safety	✅ Passed	Pull request modifies only dependency files and Python code; no Kubernetes resource manifests are changed.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}