chore: bump cryptography to 46.0.6 and aiohttp to 3.13.4 to fix CVEs

- cryptography>=46.0.6: fixes CVE-2026-34073 (DNS name constraint bypass)
- aiohttp>=3.13.4: fixes CVE-2026-34513,34515,34516,34517,34518,34519,34520,34525,22815

Co-authored-by: aieng-bot <aieng-bot@vectorinstitute.ai>

Author: aieng-bot[bot]

pyproject.toml

@@ -8,7 +8,7 @@ license = "Apache-2.0"
 requires-python = ">=3.12,<4.0"
 dependencies = [
     "aieng-eval-agents>=0.1.0",
-    "aiohttp>=3.13.3",
+    "aiohttp>=3.13.4", # CVE-2026-34513,34515,34516,34517,34518,34519,34520,34525,22815: multiple vulns fixed in 3.13.4
     "beautifulsoup4>=4.13.4",
     "datasets>=3.6.0",
     "e2b-code-interpreter>=2.4.1",
@@ -29,6 +29,7 @@ dependencies = [
     "virtualenv>=20.36.1",
     "tenacity>=9.1.2",
     "certifi>=2026.1.4",
+    "cryptography>=46.0.6", # CVE-2026-34073: DNS name constraint bypass fixed in 46.0.6
     "pypdf>=6.9.1", # CVE-2026-28804: ASCIIHexDecode DoS fixed in 6.7.5; CVE-2026-33123: array-based stream DoS fixed in 6.9.1
 ]