chore: add uv exclude-newer policy

[lucarlig]

🔗 Related Issue

Closes #3902

---

📝 Summary

Add a repository-level uv exclude-newer policy and refresh uv.lock under that policy.

This uses a 10 days window. A 14 days window was evaluated first, but it currently makes resolution unsatisfiable because sse-starlette>=3.3.3 falls inside that cutoff.

---

🏷️ Type of Change

• Bug fix
• Feature / Enhancement
• Documentation
• Refactor
• Chore (deps, CI, tooling)
• Other (describe below)

---

🧪 Verification

Check	Command	Status
Lockfile validation	uv lock --check	✅
Lockfile refresh	uv lock	✅
Pre-commit hooks on diff	git commit	✅

---

✅ Checklist

• Code formatted (make black isort pre-commit)
• Tests added/updated for changes
• Documentation updated (if applicable)
• No secrets or credentials committed

---

📓 Notes (optional)

The detect-secrets hook refreshed .secrets.baseline metadata and line numbers after the pyproject.toml insertion, so that file is included with the config and lockfile changes.

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:

• ❌ 1 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 12 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA dd4962b.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Vulnerabilities

uv.lock

Name	Version	Vulnerability	Severity
requests	2.32.5	Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function	moderate

Only included vulnerabilities with severity moderate or higher.

License Issues

uv.lock

Package	Version	License	Issue Type
build	1.4.0	Null	Unknown License
jaraco-context	6.1.1	Null	Unknown License
langchain-core	1.2.23	Null	Unknown License
langgraph	1.1.2	Null	Unknown License
langgraph-sdk	0.3.11	Null	Unknown License
langsmith	0.7.20	Null	Unknown License
pipdeptree	2.31.0	Null	Unknown License
pyrefly	0.57.0	Null	Unknown License
python-discovery	1.1.3	Null	Unknown License
tox	4.50.0	Null	Unknown License
uv	0.10.11	Null	Unknown License
vulture	2.15	Null	Unknown License

Denied Licenses:

GPL-1.0, GPL-2.0, GPL-3.0, AGPL-3.0, SSPL-1.0, RPL-1.5, OSL-3.0, CPAL-1.0

Excluded from license check:

pkg:pypi/pylint-pydantic

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
pip/requests	2.32.5	Unknown	Unknown
pip/cryptography	46.0.5	Unknown	Unknown
pip/anyio	4.12.1	Unknown	Unknown
pip/attrs	25.4.0	Unknown	Unknown
pip/build	1.4.0	Unknown	Unknown
pip/faker	40.11.0	🟢 4.9	Details Check Score Reason Code-Review ⚠️ 2 Found 7/30 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/fastapi	0.135.1	Unknown	Unknown
pip/gunicorn	25.1.0	Unknown	Unknown
pip/jaraco-context	6.1.1	Unknown	Unknown
pip/jsonpointer	3.0.0	🟢 4.6	Details Check Score Reason Code-Review 🟢 5 Found 4/7 approved changesets -- score normalized to 5 Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 14 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/langchain-core	1.2.23	Unknown	Unknown
pip/langgraph	1.1.2	Unknown	Unknown
pip/langgraph-sdk	0.3.11	Unknown	Unknown
pip/langsmith	0.7.20	Unknown	Unknown
pip/nh3	0.3.3	Unknown	Unknown
pip/openai	2.29.0	Unknown	Unknown
pip/pipdeptree	2.31.0	Unknown	Unknown
pip/protobuf	6.33.5	Unknown	Unknown
pip/pyrefly	0.57.0	Unknown	Unknown
pip/pytest-cov	7.0.0	Unknown	Unknown
pip/python-discovery	1.1.3	Unknown	Unknown
pip/redis	7.3.0	Unknown	Unknown
pip/ruff	0.15.6	Unknown	Unknown
pip/tomli	2.4.0	Unknown	Unknown
pip/tox	4.50.0	Unknown	Unknown
pip/ty	0.0.23	Unknown	Unknown
pip/uv	0.10.11	Unknown	Unknown
pip/vulture	2.15	Unknown	Unknown
pip/werkzeug	3.1.6	Unknown	Unknown

Scanned Files

• uv.lock

[crivetimihai]

Thanks @lucarlig — reproducible lockfile resolution is a valuable CI improvement. The 10-day exclude-newer window is a reasonable trade-off given the sse-starlette constraint. Please rebase onto main to resolve the merge conflicts so we can get this merged.