chore: refresh vulnerable Docker dependencies

[mvletter]

Summary

This refreshes dependency floors used by the Docker image to clear fix-available HIGH/CRITICAL Trivy findings in the runtime image.

Changes:

• Raise Python dependency floors for aiohttp, lxml, pillow, nltk, urllib3, brotli, pyOpenSSL, and cryptography.
• Relax Docker API PyJWT to a patched <3 range and make setuptools/wheel explicit in the Docker requirements.
• Upgrade pip, setuptools, and wheel during the Docker build.
• Remove the checked-in /tmp/project/sbom from the runtime image after COPY . /tmp/project/; the checked-in SBOM currently describes older packages and caused Trivy to report stale vulnerable versions even when runtime packages were patched.
• Run a final Debian dist-upgrade after Playwright installs OS dependencies, so newly installed apt packages are also at current Bookworm security levels.

Validation

• uv lock --check
• uv sync --locked --no-dev --python 3.12
• Python import/version smoke for the refreshed packages on Python 3.12
• docker build --platform linux/amd64 -t crawl4ai:security-dependency-refresh .
  • Dockerfile crawl4ai-doctor completed successfully and crawled https://crawl4ai.com.
• Runtime package check in the built image:
  • aiohttp 3.14.1
  • lxml 6.1.1
  • Pillow 12.2.0
  • nltk 3.9.4
  • urllib3 2.7.0
  • pyOpenSSL 26.2.0
  • cryptography 48.0.1
  • brotli 1.2.0
  • PyJWT 2.13.0
  • setuptools 82.0.1
  • wheel 0.47.0
  • crawl4ai 0.8.9
• Confirmed the stale project SBOM is absent from the runtime image: test ! -e /tmp/project/sbom.
• Trivy scan of the rebuilt image:

{"total":0,"by_pkg":[]}

Note

A local uv sync --locked --no-dev against Python 3.14 failed because the existing lock resolved tiktoken==0.9.0 there and no wheel was available in this environment. The Docker/runtime path uses Python 3.12; uv sync --locked --no-dev --python 3.12 passed.