NPA-6798: Resolve Dependabot issues in validated-relationships-service-api repo

[davesmallnhs]

Pull Request

🧾 Ticket Link

https://nhsd-jira.digital.nhs.uk/browse/NPA-6978

---

📄 Description/Summary of Changes

There are 14 Dependabot branches/PRs up to 14/05/2026. Most of these are small package updates.

Analysis:
-----8<-----8<-----8<-----8<-----8<-----
The 14 Dependabot branches break down into three categories:
pyproject.toml + lock file (direct dep bumps, 3 PRs):

• pip (deps-dev): bump black from 26.3.0 to 26.3.1 in /sandbox #320 — black 26.3.1 in pyproject.toml
• pip (deps-dev): bump black from 26.3.0 to 26.3.1 #321 — black 26.3.1 in pyproject.toml
• pip (deps-dev): bump pytest from 8.4.2 to 9.0.3 in /sandbox #332 — pytest 9.0.3 in pyproject.toml

Lock file only (transitive dep bumps, 10 PRs):

• poetry.lock: requests, cryptography, python-dotenv, lxml, urllib3, authlib
• poetry.lock: requests
• poetry.lock: (implied by sandbox pytest)
• package-lock.json: follow-redirects, basic-ftp, fast-uri

GitHub Actions YAML only (1 PR):

• github actions (deps): bump the github-dependencies group across 1 directory with 2 updates #345 — workflows changes, no lock files

So the practical plan is: apply the 3 pyproject.toml edits, regenerate all lock files fresh (which picks up all transitive updates in one shot), cherry-pick #345, then commit and push.
-----8<-----8<-----8<-----8<-----8<-----

Steps:

1. Made the required bumps to pyproject.toml and sandbox/pyproject.toml
2. Updated lock files:
   -- poetry lock
   -- cd sandbox && poetry lock && cd ..
   -- cd scripts && poetry lock && cd ..
   -- npm update follow-redirects basic-ftp fast-uri
3. cherry-pick github actions (deps): bump the github-dependencies group across 1 directory with 2 updates #345
   -- git cherry-pick origin/dependabot/github_actions/github-dependencies-0645f932cc
4. Noted vulnerability in pytest-nhsd-apim: upgraded from ^5.0.0 to ^6.0.0

Outcome is 'better than Dependabot':
Package | Dependabot suggested | Now in lock
black (root + sandbox) | 26.3.1 | 26.3.1 ✅
pytest (sandbox) | 9.0.3 | 9.0.3 ✅
python-dotenv | 1.2.2 | 1.2.2 ✅
lxml | 6.1.0 | 6.1.0 ✅
urllib3 | 2.7.0 | 2.7.0 ✅
requests | 2.33.0 | 2.34.2 ⬆️ newer
authlib | 1.6.12 | 1.7.2 ⬆️ newer
cryptography | 46.0.7 | 48.0.0 ⬆️ newer
follow-redirects | 1.16.0 | 1.16.0 ✅
basic-ftp | 5.3.1 | 5.3.1 ✅
fast-uri | 3.1.2 | 3.1.2 ✅

---

🧪 Developer Testing Carried Out

• make generate-postman-collection regenerates postman/validated_relationship_service.sandbox.postman_collection.json with only the UUIDs changed.
• make test-postman-collection SANDBOX_BASE_URL=https://sandbox.api.service.nhs.uk/validated-relationships/FHIR/R4: all tests pass

---

📋 PR Principles

• Keep PRs Small and Focused: Ensure the PR addresses a single task or feature to make it easier to review.
• Multiple PRs for one Ticket: When splitting work into multiple PRs, clearly describe what this PR addresses and outline the remaining work to complete the ticket.
• Ensure Tests Are Included: Add or update unit, integration, or end-to-end tests to cover the changes made.
• Follow Coding Standards: Ensure the code adheres to the team's coding guidelines and best practices.
• Resolve Comments Promptly: If you raise a comment, ensure you follow up and resolve it before approving the PR to maintain clarity and ensure comments are addressed.
• Foster Learning: PR reviews are an opportunity to share knowledge, provide constructive feedback, and encourage a collaborative environment.

🏷️ Naming Conventions Reminder

Please ensure the following naming conventions are followed:

• PR title follows the format: NPA-XXXX: <short-description>
• Branch name follows the convention: <type>/NPA-XXXX/<short-description>
• Commit messages follow the template: NPA-XXXX: <short-description>

[github-actions]

This branch is work on a ticket in the NHS Digital NPA JIRA Project. Here's a handy link to the ticket:

NPA-6798

[github-actions]

This branch is work on a ticket in the NHS Digital NPA JIRA Project. Here's a handy link to the ticket:

NPA-6798