CRAYSAT-2051: Resolve dependabot alerts

[annapoorna-s-alt]

Summary and Scope

Summarize what has changed. Explain why this PR is necessary. What is impacted? Is this a new feature, critical bug fix, etc?

Fix the vulnerabilities for teh following:

• Resolve dependabot alert which bumps marshmallowfrom 3.14.1 to 3.26.2 to address CVE-2025-68480
• Resolve dependabot alert which bumps pynacl from 1.5.0 to 1.6.2 to address CVE-2025-69277
• Resolve dependabot alert which bumps urllib3 from 2.6.0 to 2.6.3 to address CVE-2026-21441

Issues and Related PRs

List and characterize relationship to Jira/Github issues and other pull requests. Be sure to list dependencies.

• Resolves CRAYSAT-2051

Testing

List the environments in which these changes were tested.

Tested on:

• starlord(CSM V1.7.1 ssytem)

Test description:

How were the changes tested and success verified? If schema changes were part of this change, how were those handled in your upgrade/downgrade testing?

• Basic sanity tests along with non destructive sat bootsys test which uses paramiko

Risks and Mitigations

Are there known issues with these changes? Any other special considerations?

Pull Request Checklist

• Version number(s) incremented, if applicable
• Copyrights updated
• License file intact
• Target branch correct
• CHANGELOG.md updated
• Testing is appropriate and complete, if applicable
• HPC Product Announcement prepared, if applicable

[haasken-hpe]

Looks good, pending testing.

I will repeat the main point I made to you in slack here as well:

• The cffi upgrade to version 2.0.0 drops support for Python 3.8, so we may want to update the minimum required Python version to 3.9 in setup.py. It's probably not too critical though. It looks like we're on Python 3.10 in the Alpine container image already.
• I would suggest doing some level of testing on our code which uses paramiko, which is how cffi gets pulled in. I expect it will be fine, but it will be good to smoke-test that, especially this late in the release.

[annapoorna-s-alt]

Smoke-tests on starlord(CSM V1.7.1 system)

(818c11ac15cb) sat-container:/sat/share # sat --version
sat 3.36.5

(818c11ac15cb) sat-container:/sat/share # sat status
INFO: All values for 'Most Recent Session Template' are 'MISSING', omitting key.
+----------------+-----------+------+----------+-----------+------+---------+------+-------+-------------+---------+----------+---------+-------------------------------+----------------------+-------------+-------------+--------------------------------------+--------------------------------------+
| xname          | Aliases   | Type | NID      | State     | Flag | Enabled | Arch | Class | Role        | SubRole | Net Type | Locked  | Desired Config                | Configuration Status | Error Count | Boot Status | Most Recent BOS Session              | Most Recent Image                    |
+----------------+-----------+------+----------+-----------+------+---------+------+-------+-------------+---------+----------+---------+-------------------------------+----------------------+-------------+-------------+--------------------------------------+--------------------------------------+
| x3000c0s1b0n0  | ncn-m001  | Node | 100001   | Populated | OK   | True    | X86  | River | Management  | Master  | Sling    | True    | management-25.9.0-rc.4-171upg | configured           | 0           | stable      | MISSING                              | MISSING                              |
| x3000c0s3b0n0  | ncn-m002  | Node | 100002   | Ready     | OK   | True    | X86  | River | Management  | Master  | Sling    | True    | management-25.9.0-rc.4-171upg | configured           | 0           | stable      | MISSING                              | MISSING                              |
...

(818c11ac15cb) sat-container:/sat/share # sat showrev --local
################################################################################
Local Host Operating System
################################################################################
+-----------+----------------------------+
| component | version                    |
+-----------+----------------------------+
| Kernel    | 6.4.0-150700.53.22-default |
| SLES      | SLES 15-SP7                |
+-----------+----------------------------+

(818c11ac15cb) sat-container:/sat/share # sat bootsys shutdown --stage capture-state
INFO: Capturing system state.
INFO: Capturing kubernetes pod state
WARNING: Unverified HTTPS request is being made to host 'rgw-vip.nmn'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
INFO: Finished capturing system state.

[annapoorna-s-alt]

/backport release/3.36

[github-actions]

Backporting into branch release/3.36 was successful. New PR: #384