build(deps): bump bandit from 1.10.3 to 1.11.0

[dependabot]

Bumps bandit from 1.10.3 to 1.11.0.

Changelog

Sourced from bandit's changelog.

1.11.0 (1 May 2026)

Fixes

• Fix WebSocket inflate vulnerability (CVE-2026-39804, commit 8156921, thanks @​PJUllrich & @​maennchen!)
• Fix WebSocket continuation frame handling vulnerability (CVE-2026-42786, commit 21612c7, thanks @​PJUllrich & @​maennchen!)
• Fix HTTP/2 frame size parsing vulnerability (CVE-2026-42788, commit 1e8e559, thanks @​PJUllrich & @​maennchen!)
• Improve handling of zero/negative length & offset parameters to send_file (#580, thanks @​PJUllrich & @​maennchen!)

Enhancements

• Define a new max_inflate_ratio WebSocket configuration option that defines a maximum allowable decompression ratio to help mitigate inflate bombing. Defaults to 25:1
• Define a new max_fragmented_message_size WebSocket configuration option which defines the maximum allowed WebSocket frame size (inclusive of continuation frames). Defaults to 8MB

Changes

• The default value of the max_frame_size WebSocket option has changed from :infinity to 8MB
• Zero length non-fin continuation frames are now disallowed (we now skip Autobahn 6.1.2 as a result)
• Multiple content-length fields in an HTTP/1 request are now disallowed (CVE-2026-39805, commit f2ca636, thanks @​PJUllrich & @​maennchen!)
• We now only use the underlying transport when determining scheme (CVE-2026-39807, commit 45feea2, thanks @​PJUllrich & @​maennchen!)

1.10.4 (25 Mar 2026)

Enhancements

• Support {:shutdown, :disconnected} as a normal WebSocket result code (#576, thanks @​wwitek-whatnot!)

Commits

• e626198 Version bump to 1.11.0
• 014c157 Tweaks to Autobahn test suite
• 1e8e559 Merge commit from fork
• 45feea2 Merge commit from fork
• f2ca636 Merge commit from fork
• 21612c7 Merge commit from fork
• 8156921 Merge commit from fork
• fc3cf61 Improve handling of edge cases in send_file (#580)
• 1085ad0 Bump machete from 0.3.11 to 0.3.12 (#579)
• c70e175 Bump credo from 1.7.17 to 1.7.18 (#578)
• Additional commits viewable in compare view

[github-actions]

TCK Compliance Results

📊 COMPREHENSIVE TEST RESULTS SUMMARY
================================================================================

🔴 Mandatory Tests:           ✅ PASSED (p:83/f:0/x:0/e:0/s:32)
🔄 Capability Tests:          ✅ PASSED (p:20/f:0/x:1/e:0/s:54)
🚀 Transport Equivalence:     ✅ PASSED (p:0/f:0/x:0/e:0/s:16)
🛡️  Quality Tests:             ✅ PASSED (p:14/f:0/x:0/e:0/s:0)
🎨 Feature Tests:             ✅ PASSED (p:14/f:0/x:1/e:0/s:1)

🎉 A2A COMPLIANCE: ✅ PASSED
Your implementation meets A2A specification requirements!
🔄 CAPABILITY HONESTY: ✅ EXCELLENT
All declared capabilities work correctly!
🛡️  PRODUCTION QUALITY: ✅ HIGH
Implementation is robust and production-ready!
🎨 FEATURE COMPLETENESS: ✅ COMPREHENSIVE
Implementation includes valuable optional features!

🏆 OUTSTANDING A2A IMPLEMENTATION!

================================================================================

========================================
TCK run complete.
Stopping server (PID 2786)...

09:58:21.554 [notice] SIGTERM received - shutting down

[maxekman]

/dependabot rebase

[github-actions]

TCK 1.0-dev Compatibility Results (experimental)

This run is informational — failures do not block CI.

             A2A TCK Compatibility Report              
═══════════════════════════════════════════════════════
SUT: http://localhost:9999
Timestamp: 2026-05-04T09:58:07.609910+00:00

OVERALL COMPATIBILITY: 43.3%

┌─────────────┬────────┬────────┬─────────┬───────┐
│ Level       │ Passed │ Failed │ Skipped │ Total │
├─────────────┼────────┼────────┼─────────┼───────┤
│ MUST        │     25 │     54 │      35 │   114 │
│ SHOULD      │      2 │      9 │       0 │    11 │
│ MAY         │      2 │      2 │       0 │     4 │
└─────────────┴────────┴────────┴─────────┴───────┘

BY TRANSPORT:
  agent_card:    7/10 ⚠
  grpc:          0/72 (72 skipped) ✓
  jsonrpc:       28/99 (30 skipped) ⚠
  http_json:     3/83 (80 skipped) ✓

FAILED REQUIREMENTS:
  ✗ CARD-STRUCT-001 (): $: 'url' does not match any of the regexes: '^(default_input_modes)$', '^(default_output_modes)$', '^(documentation_url)$', '^(icon_url)$', '^(security_requirements)$', '^(security_schemes)$', '^(supported_interfaces)$'
  ✗ CARD-CACHE-002 (agent_card): Agent Card response should include an ETag header
  ✗ CARD-CACHE-003 (agent_card): Agent Card response may include a Last-Modified header
  ✗ DM-ART-001 (jsonrpc): Response contains no artifacts
  ✗ DM-MSG-001 (jsonrpc): Expected a Message response, but got a Task or no payload
  ✗ DM-TASK-001 (jsonrpc): $.task: 'kind' does not match any of the regexes: '^(context_id)$'
  ✗ DM-TASK-002 (jsonrpc): $.task: 'kind' does not match any of the regexes: '^(context_id)$'
  ✗ DM-MSG-002 (jsonrpc): $.task: 'kind' does not match any of the regexes: '^(context_id)$'
  ✗ DM-PART-001 (jsonrpc): $.task: 'kind' does not match any of the regexes: '^(context_id)$'
  ✗ DM-STATUS-001 (jsonrpc): $.task: 'kind' does not match any of the regexes: '^(context_id)$'
  ✗ DM-SERIAL-004 (jsonrpc): $.task: 'kind' does not match any of the regexes: '^(context_id)$'
  ✗ VER-SERVER-002 (jsonrpc): Expected VersionNotSupportedError for A2A-Version: 99.0
  ✗ JSONRPC-SSE-002 (): Error code mismatch: expected ContentTypeNotSupportedError (-32005), got ParseError (-32700)
  ✗ JSONRPC-ERR-003 (): error.data is absent — A2A errors MUST include ErrorInfo in data array
  ✗ CORE-SEND-001 (jsonrpc): $.task: 'kind' does not match any of the regexes: '^(context_id)$'
  ✗ CORE-SEND-003 (jsonrpc): Operation failed: Invalid parameters
  ✗ CORE-LIST-001 (jsonrpc): $.tasks[0]: 'kind' does not match any of the regexes: '^(context_id)$'
  ✗ CORE-LIST-002 (jsonrpc): $.tasks[0]: 'kind' does not match any of the regexes: '^(context_id)$'