Bump urllib3 to address security vulnerability

`urllib3 <v2.6.3` has a security vulnerability reported in
GHSA-38jv-5279-wg99, so we are bumping
the version to `2.6.3` without waiting for a 7-day cooldown period.

The `exclude-newer-package` timestamp should be removed once it is 7
days old, as per the guidelines in `DEVELOPERS.md`.

Author: alarthast

pyproject.toml

@@ -60,7 +60,7 @@ isort.lines-after-imports = 2
 # See https://github.com/opensafely-core/repo-template/blob/main/DEVELOPERS.md for details
 [tool.uv]
 exclude-newer = "2025-12-31T00:00:00Z"
-exclude-newer-package = {}
+exclude-newer-package = {"urllib3"="2026-01-07T16:31:00Z"}
 
 [dependency-groups]
 dev = [

requirements.uvmirror.txt

@@ -45,7 +45,7 @@ sqlglot==28.5.0
     # via sqlrunner
 structlog==25.5.0
     # via sqlrunner
-urllib3==2.6.2
+urllib3==2.6.3
     # via
     #   docker
     #   requests