Bump urllib3 from 2.2.3 to 2.6.3 to fix 5 CVEs

[devin-ai-integration]

Bump urllib3 from 2.2.3 to 2.6.3 to fix 5 CVEs

Summary

Bumps urllib3 from 2.2.3 to 2.6.3 in requirements.txt to resolve 5 known vulnerabilities (CVE-2025-50182, CVE-2025-50181, CVE-2025-66418, CVE-2025-66471, CVE-2026-21441). Addresses Dependabot alert #7.

urllib3 2.6.3 remains within the requests==2.32.4 compatibility range (urllib3<3,>=1.21.1). Verified with pip-audit — no known vulnerabilities remain after the bump.

Review & Testing Checklist for Human

• Verify the app still works end-to-end (create order + poll order flow) since there are no automated tests in this repo and urllib3 jumped 4 minor versions
• Skim the urllib3 changelog between 2.2.3 and 2.6.3 for any behavioral changes that could affect HTTP request handling

Notes

• Requested by: @soinclined
• Link to Devin run

[devin-ai-integration]

Original prompt from Penelope

Please TAL at the following dependabot alert and create a PR that doesn't break anything and resolves this issue.

https://github.com/Crossmint/headless-python-payusdc/security/dependabot/7

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring