fix: update urllib3 to resolve CVE-2026-44431

[dannyneira]

Summary

• Updates urllib3 from 2.3.0 to 2.7.0 in candle-examples/examples/marian-mt/python/requirements.txt.
• Resolves direct runtime pip Dependabot alerts for urllib3 in the marian-mt Python example.

Alerts resolved

• https://github.com/warpdotdev/candle/security/dependabot/15 — CVE-2025-66418, high, patched in 2.6.0
• https://github.com/warpdotdev/candle/security/dependabot/16 — CVE-2025-66471, high, patched in 2.6.0
• https://github.com/warpdotdev/candle/security/dependabot/18 — CVE-2026-21441, high, patched in 2.6.3
• https://github.com/warpdotdev/candle/security/dependabot/27 — CVE-2026-44431, high, patched in 2.7.0
• https://github.com/warpdotdev/candle/security/dependabot/4 — CVE-2025-50181, moderate, patched in 2.5.0
• https://github.com/warpdotdev/candle/security/dependabot/5 — CVE-2025-50182, moderate, patched in 2.5.0

Advisory references

• GHSA-gm62-xv2j-4w53
• GHSA-2xpw-w6gg-jr37
• GHSA-38jv-5279-wg99
• GHSA-qccp-gfcp-xxvc
• GHSA-pq67-6m6q-mj2v
• GHSA-48p4-8xcf-vxj5

Verification

• python3 -m pip install --dry-run -r candle-examples/examples/marian-mt/python/requirements.txt completed successfully.
• pip-audit -r candle-examples/examples/marian-mt/python/requirements.txt --format json reports urllib3 2.7.0 with 0 vulnerabilities.
• python3 -m compileall candle-examples/examples/marian-mt/python/convert_slow_tokenizer.py completed successfully.
• pip-audit still reports existing vulnerabilities in other packages in this requirements file; those are outside this PR's selected urllib3 batch.

Conversation: https://staging.warp.dev/conversation/6815902a-0689-493a-acde-a89c314bc141
Run: https://oz.staging.warp.dev/runs/019e3184-1efd-7dea-b2f2-e8b9fd143adf
This PR was generated with Oz.