fix: Add exclude-newer and upgrade requests to 2.33.0

Add exclude-newer = "4 days" to [tool.uv] to limit dependency
resolution to packages published at least 4 days ago, reducing
risk from supply chain attacks on newly published packages.
See: https://docs.astral.sh/uv/reference/settings/#exclude-newer

Upgrade requests from 2.32.5 to 2.33.0 to fix insecure temp file
reuse vulnerability in extract_zipped_paths().

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: holmboe

CHANGELOG.md

@@ -36,6 +36,8 @@ Major release featuring a migration from docopt-ng to Typer for the CLI framewor
 * Fix monogram shortcuts not working with global options
 * Improve error handling and standardize error format
 * Fix passphrase show subcommand for monogram shortcuts
+* Fix PyInstaller entry point for Typer CLI package structure
+* Fix insecure temp file reuse vulnerability in requests (upgrade to 2.33.0)
 
 ## Other Notes
 
@@ -44,6 +46,7 @@ Major release featuring a migration from docopt-ng to Typer for the CLI framewor
 * Removed unused MANIFEST.in
 * Updated pre-commit hooks
 * Cleaned up constants.py
+* Added `exclude-newer` to `[tool.uv]` for supply chain protection
 
 
 # 0.7.1 (2026-03-07)

pyproject.toml

@@ -53,5 +53,8 @@ phabfive = "phabfive.cli:cli_entrypoint"
 Homepage = "https://github.com/dynamist/phabfive"
 Download = "https://github.com/dynamist/phabfive/releases"
 
+[tool.uv]
+exclude-newer = "4 days"
+
 [tool.hatch.build.targets.wheel]
 packages = ["phabfive"]