chore(deps): resolve Dependabot security alerts across npm and python

[mishushakov]

Summary

Resolves all 31 open Dependabot alerts across the workspace.

• npm — added range-based pnpm.overrides to bump vulnerable transitive deps to their patched versions: postcss, vite, lodash, brace-expansion, picomatch (2.x + 4.x), yaml, @tootallnate/once, smol-toml, flatted, and minimatch (3.x/5.x/9.x/10.x).
• python-sdk — bumped dev deps in poetry.lock: pytest 7.4 → 9.0.3 (with constraint update in pyproject.toml), pytest-asyncio 0.23 → 1.3 (required for pytest 9), python-dotenv 1.2.2, pygments 2.20.0, requests 2.33.1, black 26.3.1; removed 4 now-unused # ty: ignore directives that pytest 9's stricter type signatures made obsolete.

Test plan

• `pnpm run typecheck` passes
• `pnpm run lint` passes
• `pnpm run format` clean
• CLI tests (80/80) and js-sdk/python-sdk unit tests pass; integration tests not run locally (need `E2B_API_KEY`)

🤖 Generated with Claude Code

[changeset-bot]

⚠️ No Changeset found

Latest commit: 292d4e6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cursor]

PR Summary

Medium Risk
Primarily dependency/lockfile changes, but includes major-version upgrades to Python test infrastructure and async fixture lifecycle handling that could cause CI/test regressions or subtle cleanup timing differences.

Overview
Updates the JS/TS workspace dependency resolution by expanding pnpm.overrides to force patched versions of several vulnerable transitive packages (including postcss, vite, lodash, brace-expansion, picomatch, yaml, @tootallnate/once, smol-toml, flatted, and multiple minimatch ranges), with corresponding lockfile churn.

Upgrades Python SDK dev tooling in pyproject.toml/poetry.lock (notably pytest to 9.0.3 and pytest-asyncio to 1.3.0, plus related bumps like black, requests, python-dotenv, pygments) and adjusts pytest configuration/fixtures to match new asyncio defaults (switching async fixtures to pytest_asyncio.fixture, removing the custom session event_loop, and ensuring async resource cleanup occurs in async teardown).

^{Reviewed by Cursor Bugbot for commit 292d4e6. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Package Artifacts

Built from ac54dec. Download artifacts from this workflow run.

JS SDK (e2b@2.19.3-mishushakov-dependabot-fixes.0):

npm install ./e2b-2.19.3-mishushakov-dependabot-fixes.0.tgz

CLI (@e2b/cli@2.10.1-mishushakov-dependabot-fixes.0):

npm install ./e2b-cli-2.10.1-mishushakov-dependabot-fixes.0.tgz

Python SDK (e2b==2.20.2+mishushakov-dependabot-fixes):

pip install ./e2b-2.20.2+mishushakov.dependabot.fixes-py3-none-any.whl

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 1fb935b. Configure here.}