chore(deps): upgrade locks for deprecated integration packages

[starfolkai]

Summary

• Run uv lock --upgrade on integrations/adk-py/uv.lock and integrations/langchain-py/uv.lock.
• Both packages are deprecated (Development Status :: 7 - Inactive, READMEs direct users to install braintrust instead) but their lockfiles still surface Dependabot alerts.
• Pulls upstream security fixes; closes ~43 of the open alerts in one shot.

adk-py — all 27 alerts close

Notable bumps past CVE fix versions:

• google-adk 1.27.0 → 1.32.0 (critical RCE, GHSA-rg7c-g689-fr3x)
• authlib 1.6.5 → 1.7.2 (closes 5 alerts incl. alg:none bypass and JWE Bleichenbacher)
• cryptography 46.0.1 → 48.0.0
• urllib3 1.26.20 → 2.6.3
• mcp 1.20.0 → 1.27.0 (DNS rebinding)
• gitpython, pyasn1, python-multipart, pyjwt, protobuf, sqlparse, pygments, python-dotenv, pytest all bumped past their fix versions.

langchain-py — ~16 of 23 alerts close

Cleared: cryptography, gitpython, urllib3, requests, orjson, pygments, pytest, filelock, virtualenv, langsmith, python-dotenv, plus the aiohttp/cryptography clusters.

Will not clear without further work: langchain-core, langgraph, langgraph-checkpoint, langchain-text-splitters, langchain-openai — fixes are all gated on the LangChain 1.x major bump, but pyproject.toml pins langchain>=0.3.27 and the resolution stays in 0.3.x. Recommend dismissing those as "won't fix, deprecated package" or deleting the lockfile entirely as a follow-up.

Test plan

• CI passes (lockfile-only change; no source edits).
• Confirm Dependabot rescans and closes the expected alerts after merge.

🤖 Generated with Claude Code