SG-42118 - SG-42922 - SG-42923 - Update third party libraries to address CVEs (#343)

* SG-42118 Consolidate per-version requirements into a single file

- Replace resources/python/requirements/{version}/requirements.txt (5 files)
  with a single resources/python/requirements.txt using PEP 508 env markers
- All version-specific pinning preserved via python_version conditions
- Package versions are unchanged from master
- Update update_requirements.py to use the new single path
- Add .github/dependabot.yml scoping pip scanning to src/ and bin/ only,
  excluding requirements.txt (template file, not installed directly)

* SG-42118 Improve requirements.txt documentation and CVE annotations

* SG-42118 Add azure-pipelines/requirements.txt and update CI dependency references

* SG-42118 Exhaustive CVE history annotations in requirements.txt

* SG-42118 Add CVE-2020-35678 (autobahn) and CVE-2020-25659 (cryptography) annotations

* SG-42118 Fix operator and marker for sub-level dependencies

Author: julien-lang

resources/python/requirements.txt

@@ -23,8 +23,9 @@ autobahn~=24.4.2  ; python_version >= "3.13"
 
 #-------------------------------------------------------------------------------
 # pyOpenSSL
-pyopenssl==25.0.0 ; python_version <  "3.13"
-pyopenssl~=25.0.0 ; python_version >= "3.13"
+# CVE-2026-27459 - fixed in 26.0.0 - Python 3.7 is N/A
+pyopenssl==25.0.0 ; python_version <  "3.9"
+pyopenssl~=26.0.0 ; python_version >= "3.9"
 
 #-------------------------------------------------------------------------------
 # Twisted
@@ -47,8 +48,8 @@ twisted~=24.11.0 ; python_version >= "3.13"
 #   → service-identity
 #   ↳ Twisted
 # Do not upgrade! The CI pipeline installs attrs==22.2.0 as a system-level test
-# dependency (see azure-pipelines/requirements.txt). pytest also imports attrs
-# early, caching it in sys.modules. From attrs 23.2.0,
+# dependency (see extra_test_dependencies in azure-pipelines.yml). pytest also
+# imports attrs early, caching it in sys.modules. From attrs 23.2.0,
 # `attrs/__init__.py` imports `Converter` from `attr`. If the bundled version is
 # newer than the cached one, that import fails with:
 #   ImportError: cannot import name 'Converter' from 'attr'
@@ -69,8 +70,8 @@ certifi==2026.1.4
 #   → cryptography → autobahn
 #                  ↳ pyOpenSSL
 #                  ↳ service-identity
-cffi>=1.15.1 ; python_version <  "3.13"
-cffi>=1.17.1 ; python_version >= "3.13"
+cffi>=1.15.1 ; python_version <  "3.9"
+cffi>=1.17.1 ; python_version >= "3.9"
 
 #-------------------------------------------------------------------------------
 # cryptography
@@ -86,7 +87,9 @@ cffi>=1.17.1 ; python_version >= "3.13"
 # CVE-2024-4603  - fixed in 43.0.1
 # CVE-2024-6119  - fixed in 43.0.1
 # CVE-2024-12797 - fixed in 44.0.1
-cryptography>=44.0.1
+# CVE-2026-26007 - bump from 44.0.1 - Python 3.7 is N/A
+cryptography>=44.0.1 ; python_version <  "3.9"
+cryptography>=46.0.5 ; python_version >= "3.9"
 
 #-------------------------------------------------------------------------------
 # hyperlink
@@ -104,6 +107,13 @@ hyperlink>=21.0.0
 idna>=3.7 ; python_version <  "3.13"
 idna>=3.8 ; python_version >= "3.13"
 
+
+#-------------------------------------------------------------------------------
+# pyasn1
+# Required by: service-identity
+# CVE-2026-30922 - fixed in 0.6.3 - Python 3.7 is N/A
+pyasn1>=0.6.3 ; python_version >= "3.9"
+
 #-------------------------------------------------------------------------------
 # service-identity
 # Required by: