SG-42549 Refactor requirements management (#344)

* SG-42118 Consolidate per-version requirements into a single file

- Replace resources/python/requirements/{version}/requirements.txt (5 files)
  with a single resources/python/requirements.txt using PEP 508 env markers
- All version-specific pinning preserved via python_version conditions
- Package versions are unchanged from master
- Update update_requirements.py to use the new single path
- Add .github/dependabot.yml scoping pip scanning to src/ and bin/ only,
  excluding requirements.txt (template file, not installed directly)

* SG-42118 Improve requirements.txt documentation and CVE annotations

* SG-42118 Add azure-pipelines/requirements.txt and update CI dependency references

* SG-42118 Exhaustive CVE history annotations in requirements.txt

* SG-42118 Add CVE-2020-35678 (autobahn) and CVE-2020-25659 (cryptography) annotations

* SG-42118 Fix operator and marker for sub-level dependencies

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: julien-lang

.snyk

@@ -35,10 +35,11 @@ jobs:
       - name: tk-framework-desktopclient
       - name: tk-shotgun
     extra_test_dependencies:
-      # Required when binary dependencies are not bundled
-      - attrs==22.2.0    # Fix version. Otherwise tk-ci-tools will install latest
-      - Twisted==22.10.0 # Last version supporting Python 3.7
-      - websocket-client==1.6.1 # Last version supporting Python 3.7
+      # CI installs dependencies from the dedicated Azure Pipelines
+      # requirements file, which must be kept in sync with the unified
+      # runtime requirements so CI-installed versions match what pkgs.zip
+      # bundles, preventing sys.modules version conflicts.
+      - --requirement=azure-pipelines/requirements.txt
     post_tests_steps:
       - task: Bash@3
         displayName: Run interpreter integration tests

.travis.yml.disabled

@@ -0,0 +1,25 @@
+# Test-environment dependencies for Azure Pipelines CI.
+# These supplement the pre-built pkgs.zip bundle and are not shipped with the
+# product.
+#
+# Note: attrs and Twisted versions must be kept in sync with
+# resources/python/requirements.txt.
+
+#-------------------------------------------------------------------------------
+# attrs
+# Pinned to prevent tk-ci-tools from upgrading to a newer version automatically.
+attrs==22.2.0
+
+#-------------------------------------------------------------------------------
+# Twisted
+# Must match the version bundled in pkgs.zip/src/ for each Python version.
+# A version mismatch causes a sys.modules conflict at runtime (see SG-42304).
+Twisted==22.10.0 ; python_version <  "3.9"
+Twisted==24.10.0 ; python_version >= "3.9" and python_version < "3.13"
+Twisted~=24.11.0 ; python_version >= "3.13"
+
+#-------------------------------------------------------------------------------
+# websocket-client
+# Test-only dependency (not bundled in pkgs.zip).
+websocket-client==1.6.1 ; python_version <  "3.9"  # Last version supporting Python 3.7
+websocket-client~=1.9.0 ; python_version >= "3.9"

azure-pipelines.yml

@@ -0,0 +1,124 @@
+# Targeted Python versions:
+#   - 3.7  (legacy)
+#   - 3.9  (VFX CY2022)
+#   - 3.10 (VFX CY2023)
+#   - 3.11 (VFX CY2024)
+#   - 3.13 (VFX CY2026)
+#
+# When updating a dependency, follow the process described in README.md.
+# CI handles regeneration automatically.
+# Note: Twisted and attrs are also pinned in azure-pipelines/requirements.txt
+# and must be kept in sync with the versions here.
+
+# ============================================================================ #
+# Direct dependencies
+#   Version constraints balance code compatibility and CVE requirements.
+#
+
+#-------------------------------------------------------------------------------
+# autobahn
+# CVE-2020-35678 - fixed in 20.12.3
+autobahn==22.12.1 ; python_version <  "3.13"
+autobahn~=24.4.2  ; python_version >= "3.13"
+
+#-------------------------------------------------------------------------------
+# pyOpenSSL
+pyopenssl==25.0.0 ; python_version <  "3.13"
+pyopenssl~=25.0.0 ; python_version >= "3.13"
+
+#-------------------------------------------------------------------------------
+# Twisted
+# CVE-2022-21712 - fixed in 22.1
+# CVE-2022-24801 - fixed in 22.1
+# CVE-2024-41671 & CVE-2024-41810 - fixed in 24.10.0 - N/A for Python 3.7
+twisted==22.10.0 ; python_version <  "3.9" # Last version supporting 3.7
+twisted==24.10.0 ; python_version >= "3.9" and python_version < "3.13"
+twisted~=24.11.0 ; python_version >= "3.13"
+
+# ============================================================================ #
+# Selected sub-level dependencies
+#   CVE-driven: minimum versions (>= x.y.z).
+#   Other reasons (e.g. compatibility, bundling): pinned to a specific version.
+#
+
+#-------------------------------------------------------------------------------
+# attrs
+# Required by:
+#   → service-identity
+#   ↳ Twisted
+# Do not upgrade! The CI pipeline installs attrs==22.2.0 as a system-level test
+# dependency (see azure-pipelines/requirements.txt). pytest also imports attrs
+# early, caching it in sys.modules. From attrs 23.2.0,
+# `attrs/__init__.py` imports `Converter` from `attr`. If the bundled version is
+# newer than the cached one, that import fails with:
+#   ImportError: cannot import name 'Converter' from 'attr'
+# Twisted 24.x and autobahn 24.x only require attrs>=22.2.0, so this is safe.
+attrs==22.2.0
+
+#-------------------------------------------------------------------------------
+# certifi
+# Required by:
+#   → pyOpenSSL
+#   ↳ Twisted
+# Pinned to match the version bundled with FPT Desktop
+certifi==2026.1.4
+
+#-------------------------------------------------------------------------------
+# cffi
+# Required by:
+#   → cryptography → autobahn
+#                  ↳ pyOpenSSL
+#                  ↳ service-identity
+cffi>=1.15.1 ; python_version <  "3.13"
+cffi>=1.17.1 ; python_version >= "3.13"
+
+#-------------------------------------------------------------------------------
+# cryptography
+# Required by:
+#   → autobahn
+#   ↳ pyOpenSSL
+#   ↳ service-identity
+# CVE-2023-2650  - fixed in 41.0.0
+# CVE-2023-4807  - fixed in 41.0.5
+# CVE-2023-5678  - fixed in 41.0.7
+# CVE-2023-49083 - fixed in 41.0.7
+# CVE-2024-2511  - fixed in 43.0.1
+# CVE-2024-4603  - fixed in 43.0.1
+# CVE-2024-6119  - fixed in 43.0.1
+# CVE-2024-12797 - fixed in 44.0.1
+cryptography>=44.0.1
+
+#-------------------------------------------------------------------------------
+# hyperlink
+# Required by:
+#   → autobahn
+#   ↳ Twisted
+hyperlink>=21.0.0
+
+#-------------------------------------------------------------------------------
+# idna
+# Required by:
+#   → hyperlink → autobahn
+#               ↳ Twisted
+# CVE-2024-3651 - fixed in 3.7
+idna>=3.7 ; python_version <  "3.13"
+idna>=3.8 ; python_version >= "3.13"
+
+#-------------------------------------------------------------------------------
+# service-identity
+# Required by:
+#   → Twisted
+service-identity>=21.1.0 ; python_version <  "3.13"
+service-identity>=24.2.0 ; python_version >= "3.13"
+
+#-------------------------------------------------------------------------------
+# six
+# Required by: service-identity
+# service-identity 24.x (Python 3.13+) no longer requires six
+six==1.16.0 ; python_version < "3.13"
+
+#-------------------------------------------------------------------------------
+# zope.interface
+# Required by: Twisted
+zope.interface>=5.5.2 ; python_version <  "3.13"
+zope.interface>=7.1.0 ; python_version >= "3.13"