Automated downstream sync of changes from upstream as of 19-04-2026
[no-wpt-sync]
Signed-off-by: WPT Sync Bot <ghbot+wpt-sync@servo.org>
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.6
to 46.0.7.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's
changelog</a>.</em></p>
<blockquote>
<p>46.0.7 - 2026-04-07</p>
<pre><code>
* **SECURITY ISSUE**: Fixed an issue where non-contiguous buffers could
be
passed to APIs that accept Python buffers, which could lead to buffer
overflow. **CVE-2026-39892**
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL
3.5.6.
<p>.. _v46-0-6:<br />
</code></pre></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="622d672e42"><code>622d672</code></a>
46.0.7 release (<a
href="https://redirect.github.com/pyca/cryptography/issues/14602">#14602</a>)</li>
<li>See full diff in <a
href="https://github.com/pyca/cryptography/compare/46.0.6...46.0.7">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/servo/servo/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.5
to 46.0.6.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's
changelog</a>.</em></p>
<blockquote>
<p>46.0.6 - 2026-03-25</p>
<pre><code>
* **SECURITY ISSUE**: Fixed a bug where name constraints were not
applied
to peer names during verification when the leaf certificate contains a
wildcard DNS SAN. Ordinary X.509 topologies are not affected by this
bug,
including those used by the Web PKI. Credit to **Oleh Konko (1seal)**
for
reporting the issue. **CVE-2026-34073**
<p>.. _v46-0-5:<br />
</code></pre></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="91d728897b"><code>91d7288</code></a>
Cherry-pick <a
href="https://redirect.github.com/pyca/cryptography/issues/14542">#14542</a>
(<a
href="https://redirect.github.com/pyca/cryptography/issues/14543">#14543</a>)</li>
<li>See full diff in <a
href="https://github.com/pyca/cryptography/compare/46.0.5...46.0.6">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/servo/servo/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
While we now pass a lot of worker tests, we still fail a bunch:
```
% fd '^worker-.*.html.ini'
tests/wpt/meta/content-security-policy/gen/top.http-rp/script-src-self/worker-import.http.html.ini
tests/wpt/meta/content-security-policy/gen/top.http-rp/script-src-self/worker-import.https.html.ini
tests/wpt/meta/content-security-policy/gen/top.http-rp/worker-src-self/worker-import.http.html.ini
tests/wpt/meta/content-security-policy/gen/top.http-rp/worker-src-self/worker-import.https.html.ini
tests/wpt/meta/content-security-policy/gen/top.meta/script-src-self/worker-import.http.html.ini
tests/wpt/meta/content-security-policy/gen/top.meta/script-src-self/worker-import.https.html.ini
tests/wpt/meta/content-security-policy/gen/top.meta/worker-src-self/worker-import.http.html.ini
tests/wpt/meta/content-security-policy/gen/top.meta/worker-src-self/worker-import.https.html.ini
tests/wpt/meta/content-security-policy/script-src/worker-data-set-timeout.sub.html.ini
tests/wpt/meta/content-security-policy/script-src/worker-importscripts.sub.html.ini
tests/wpt/meta/content-security-policy/script-src/worker-set-timeout.sub.html.ini
tests/wpt/meta/fetch/metadata/generated/worker-dedicated-constructor.sub.html.ini
tests/wpt/meta/fetch/metadata/generated/worker-dedicated-importscripts.https.sub.html.ini
tests/wpt/meta/fetch/metadata/generated/worker-dedicated-importscripts.sub.html.ini
tests/wpt/meta/mixed-content/gen/top.http-rp/opt-in/worker-import-data.https.html.ini
tests/wpt/meta/mixed-content/gen/top.http-rp/opt-in/worker-import.https.html.ini
tests/wpt/meta/referrer-policy/generic/subresource-test/worker-messaging.html.ini
tests/wpt/meta/service-workers/service-worker/worker-client-id.https.html.ini
tests/wpt/meta/service-workers/service-worker/worker-in-sandboxed-iframe-by-csp-fetch-event.https.html.ini
tests/wpt/meta/service-workers/service-worker/worker-interception-redirect.https.html.ini
tests/wpt/meta/service-workers/service-worker/worker-interception.https.html.ini
tests/wpt/meta/upgrade-insecure-requests/gen/worker-classic.http-rp/upgrade/worker-classic.https.html.ini
tests/wpt/meta/upgrade-insecure-requests/gen/worker-classic.http-rp/upgrade/worker-module.https.html.ini
tests/wpt/meta/upgrade-insecure-requests/gen/worker-module.http-rp/upgrade/worker-classic.https.html.ini
tests/wpt/meta/upgrade-insecure-requests/gen/worker-module.http-rp/upgrade/worker-module.https.html.ini
tests/wpt/meta/wasm/webapi/esm-integration/worker-import-source-phase.tentative.html.ini
tests/wpt/meta/wasm/webapi/esm-integration/worker-import.tentative.html.ini
tests/wpt/meta/workers/Worker-creation-happens-in-parallel.https.html.ini
tests/wpt/meta/workers/Worker-postMessage-happens-in-parallel.https.html.ini
tests/wpt/meta/workers/Worker-terminate-forever-during-evaluation.html.ini
tests/wpt/meta/workers/worker-request-animation-frame.html.ini
```
Also, we are passing `Option<PolicyContainer>` down the call stack
through `LoadState`, which is more of a workaround. However, since
maintaining this long-lived branch is becoming a bit painful (merge
conflicts) and I was starting to lose momentum because of that, I would
like get this merged rather sooner than later.
We will address the failing tests and find the right place for
`PolicyContainer` in follow-ups, including the added
`#[allow(clippy::too_many_arguments)]`.
# See also
* https://html.spec.whatwg.org/multipage/#worker-processing-model
*
https://html.spec.whatwg.org/multipage/#fetch-a-module-worker-script-tree
---
Fixes: #23308
Testing: WPT tests
Signed-off-by: pylbrecht <pylbrecht@mailbox.org>
Co-authored-by: Gae24 <96017547+Gae24@users.noreply.github.com>
Bumps [pyopenssl](https://github.com/pyca/pyopenssl) from 25.3.0 to
26.0.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst">pyopenssl's
changelog</a>.</em></p>
<blockquote>
<h2>26.0.0 (2026-03-15)</h2>
<p>Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^</p>
<ul>
<li>Dropped support for Python 3.7.</li>
<li>The minimum <code>cryptography</code> version is now 46.0.0.</li>
</ul>
<p>Deprecations:
^^^^^^^^^^^^^</p>
<p>Changes:
^^^^^^^^</p>
<ul>
<li>Added support for using aws-lc instead of OpenSSL.</li>
<li>Properly raise an error if a DTLS cookie callback returned a cookie
longer than <code>DTLS1_COOKIE_LENGTH</code> bytes. Previously this
would result in a buffer-overflow. Credit to <strong>dark_haxor</strong>
for reporting the issue. <strong>CVE-2026-27459</strong></li>
<li>Added <code>OpenSSL.SSL.Connection.get_group_name</code> to
determine which group name was negotiated.</li>
<li><code>Context.set_tlsext_servername_callback</code> now handles
exceptions raised in the callback by calling <code>sys.excepthook</code>
and returning a fatal TLS alert. Previously, exceptions were silently
swallowed and the handshake would proceed as if the callback had
succeeded. Credit to <strong>Leury Castillo</strong> for reporting this
issue. <strong>CVE-2026-27448</strong></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="358cbf29c4"><code>358cbf2</code></a>
Prepare for 26.0.0 release (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1487">#1487</a>)</li>
<li><a
href="a8d28e7069"><code>a8d28e7</code></a>
Bump actions/cache from 4 to 5 (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1486">#1486</a>)</li>
<li><a
href="6fefff0556"><code>6fefff0</code></a>
Add aws-lc compatibility to tests and CI (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1476">#1476</a>)</li>
<li><a
href="a739f9661d"><code>a739f96</code></a>
Bump actions/download-artifact from 8.0.0 to 8.0.1 (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1485">#1485</a>)</li>
<li><a
href="8b4c66b1b5"><code>8b4c66b</code></a>
Bump actions/upload-artifact in /.github/actions/upload-coverage (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1484">#1484</a>)</li>
<li><a
href="02a5c78435"><code>02a5c78</code></a>
Bump actions/upload-artifact from 6.0.0 to 7.0.0 (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1483">#1483</a>)</li>
<li><a
href="d9733878d6"><code>d973387</code></a>
Bump actions/download-artifact from 7.0.0 to 8.0.0 (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1482">#1482</a>)</li>
<li><a
href="57f09bb4bb"><code>57f09bb</code></a>
Fix buffer overflow in DTLS cookie generation callback (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1479">#1479</a>)</li>
<li><a
href="d41a814759"><code>d41a814</code></a>
Handle exceptions in set_tlsext_servername_callback callbacks (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1478">#1478</a>)</li>
<li><a
href="7b29beba77"><code>7b29beb</code></a>
Fix not using a cryptography wheel on uv (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1475">#1475</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/pyca/pyopenssl/compare/25.3.0...26.0.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/servo/servo/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [werkzeug](https://github.com/pallets/werkzeug) from 3.1.5 to
3.1.6.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pallets/werkzeug/releases">werkzeug's
releases</a>.</em></p>
<blockquote>
<h2>3.1.6</h2>
<p>This is the Werkzeug 3.1.6 security fix release, which fixes a
security issue but does not otherwise change behavior and should not
result in breaking changes compared to the latest feature release.</p>
<p>PyPI: <a
href="https://pypi.org/project/Werkzeug/3.1.6/">https://pypi.org/project/Werkzeug/3.1.6/</a>
Changes: <a
href="https://werkzeug.palletsprojects.com/page/changes/#version-3-1-6">https://werkzeug.palletsprojects.com/page/changes/#version-3-1-6</a></p>
<ul>
<li><code>safe_join</code> on Windows does not allow special devices
names in multi-segment paths. <a
href="https://github.com/pallets/werkzeug/security/advisories/GHSA-29vq-49wr-vm6x">GHSA-29vq-49wr-vm6x</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pallets/werkzeug/blob/main/CHANGES.rst">werkzeug's
changelog</a>.</em></p>
<blockquote>
<h2>Version 3.1.6</h2>
<p>Released 2026-02-19</p>
<ul>
<li><code>safe_join</code> on Windows does not allow special devices
names in
multi-segment paths. :ghsa:<code>29vq-49wr-vm6x</code></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="04da1b5221"><code>04da1b5</code></a>
release version 3.1.6</li>
<li><a
href="f407712fdc"><code>f407712</code></a>
Merge commit from fork</li>
<li><a
href="f54fe98026"><code>f54fe98</code></a>
safe_join prevents Windows special device names in multi-segment
paths</li>
<li><a
href="d005985ef6"><code>d005985</code></a>
start version 3.1.6</li>
<li><a
href="8565c2cbd6"><code>8565c2c</code></a>
document rule priority (<a
href="https://redirect.github.com/pallets/werkzeug/issues/3102">#3102</a>)</li>
<li><a
href="3febc7e900"><code>3febc7e</code></a>
document rule priority</li>
<li><a
href="2525b82764"><code>2525b82</code></a>
remove state machine docs</li>
<li><a
href="4abfbd553c"><code>4abfbd5</code></a>
rewrite build docstring (<a
href="https://redirect.github.com/pallets/werkzeug/issues/3097">#3097</a>)</li>
<li><a
href="161c18b2a8"><code>161c18b</code></a>
rewrite build docstring</li>
<li><a
href="86e11c29e4"><code>86e11c2</code></a>
release version 3.1.5 (<a
href="https://redirect.github.com/pallets/werkzeug/issues/3085">#3085</a>)</li>
<li>See full diff in <a
href="https://github.com/pallets/werkzeug/compare/3.1.5...3.1.6">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/servo/servo/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.4
to 46.0.5.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's
changelog</a>.</em></p>
<blockquote>
<p>46.0.5 - 2026-02-10</p>
<pre><code>
* An attacker could create a malicious public key that reveals portions
of your
private key when using certain uncommon elliptic curves (binary curves).
This version now includes additional security checks to prevent this
attack.
This issue only affects binary elliptic curves, which are rarely used in
real-world applications. Credit to **XlabAI Team of Tencent Xuanwu Lab
and
Atuin Automated Vulnerability Discovery Engine** for reporting the
issue.
**CVE-2026-26007**
* Support for ``SECT*`` binary elliptic curves is deprecated and will be
removed in the next release.
<p>.. v46-0-4:<br />
</code></pre></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="06e120e682"><code>06e120e</code></a>
bump version for 46.0.5 release (<a
href="https://redirect.github.com/pyca/cryptography/issues/14289">#14289</a>)</li>
<li><a
href="0eebb9dbb6"><code>0eebb9d</code></a>
EC check key on cofactor > 1 (<a
href="https://redirect.github.com/pyca/cryptography/issues/14287">#14287</a>)</li>
<li><a
href="bedf6e186b"><code>bedf6e1</code></a>
fix openssl version on 46 branch (<a
href="https://redirect.github.com/pyca/cryptography/issues/14220">#14220</a>)</li>
<li>See full diff in <a
href="https://github.com/pyca/cryptography/compare/46.0.4...46.0.5">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/servo/servo/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This will avoid updating the lockfile during regular operations. Also
ignore the `servo.egg-info` directory, which
the new python requirement installation mechanism via setuptools
creates.
To update the lockfile one can run `uv lock`. This is also done
automatically, when syncing requirements from WPT.
This PR also updates the uv version in CI to a newer one. If you
encounter any issues with the lockfile after this PR, it might be
necessary to update your local instance of uv.
Testing: Build still works. [mach try
full](https://github.com/servo/servo/actions/runs/21624364040)
---------
Signed-off-by: Jonathan Schwender <schwenderjonathan@gmail.com>
This is a temporary fix until a more complete solution, such
as the one from #42169, works consistently.
Testing: This should be tested by the CI run.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
This switches FileManager from being behind an Arc<Mutex<FileManager>>>
to just FileManager.
This saves us the Arc and Mutex and the compiler makes sure that we do
not have Race Conditions.
FileManager is already easily cloneable because it consist of store:
Arc<> and GenericEmbedderProxy.
Testing: Compilation and unit tests are the tests.
Signed-off-by: Narfinger <Narfinger@users.noreply.github.com>
Instead of attempting to manage the virtual environment ourselves, use
`uv` to manage the installation of dependencies.
Since we still have dependencies coming from upstream wpt, we use
`[tool.setuptool]` in our pyproject.toml to ensure that `uv` dynamically
installs our dependencies according to the requirements.txt files.
Additionally, this PR also reverts `--no-project` usage. `--no-project`
was added as a temporary workaround in
https://github.com/servo/servo/pull/37741.
It's not 100% clear to me what exactly the issue was, but
[apparently](https://github.com/servo/servo/pull/37741#pullrequestreview-2985666234)
the issue caused the build to break.
Removing the arg seems to work fine, except that we get a warning about
a missing `requiress-python` value in `pyproject.toml`.
Apparently it is good practice to specify the requirement as `>=` in th
pyroject, and lock the exact version via `uv pin` (which writes to
`.python_version`, where we already pin 3.11.
Testing: Should be covered by existing tests, which compile code on all
platforms.
---------
Signed-off-by: Jonathan Schwender <schwenderjonathan@gmail.com>
