fix(deps): bump nltk from 3.9.1 to 3.9.3 to address CVE-2025-14009

[devin-ai-integration]

Summary

Bumps nltk from 3.9.1 to 3.9.3 to remediate CVE-2025-14009 (CVSS 10.0) — a Zip Slip vulnerability in nltk.downloader._unzip_iter that calls zipfile.extractall() without path validation. The vulnerable code path is exercised by the CDK's unstructured_parser.py which calls nltk.download().

One-line change in pyproject.toml (line 79). The poetry.lock diff is large because it was regenerated with a different Poetry version (1.8.5 vs 2.0.1), which stripped groups/markers metadata and downgraded the lock format from 2.1 to 2.0.

Resolves https://github.com/airbytehq/oncall/issues/11795:

• https://github.com/airbytehq/oncall/issues/11795

Review & Testing Checklist for Human

• Verify the poetry.lock format downgrade (2.1 → 2.0) is acceptable. The lockfile was regenerated with Poetry 1.8.5 instead of 2.0.1, stripping groups and markers annotations. Confirm CI and other environments are compatible with the 2.0 lock format. If not, the lockfile should be regenerated with Poetry 2.x.
• Confirm nltk 3.9.3 is the correct patched version for CVE-2025-14009 (ref: GHSA-7p94-766c-hgjp)

Notes

• Prior art: the last nltk bump (3.8.1 → 3.9.1) was done via Dependabot in PR chore(deps): bump nltk from 3.8.1 to 3.9.1 #43.
• Not a breaking change — no schema, spec, state, or API surface changes. Patch-level security fix only.

Link to Devin session: https://app.devin.ai/sessions/f245996dac134b0d82de8a71ee0ab44d

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[github-actions]

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

💡 Show Tips and Tricks

Testing This CDK Version

You can test this version of the CDK using the following:

# Run the CLI from this branch:
uvx 'git+https://github.com/airbytehq/airbyte-python-cdk.git@devin/1774543024-bump-nltk-3.9.3#egg=airbyte-python-cdk[dev]' --help

# Update a connector to use the CDK from this branch ref:
cd airbyte-integrations/connectors/source-example
poe use-cdk-branch devin/1774543024-bump-nltk-3.9.3

PR Slash Commands

Airbyte Maintainers can execute the following slash commands on your PR:

• /autofix - Fixes most formatting and linting issues
• /poetry-lock - Updates poetry.lock file
• /test - Runs connector tests with the updated CDK
• /prerelease - Triggers a prerelease publish with default arguments
• /poe build - Regenerate git-committed build artifacts, such as the pydantic models which are generated from the manifest JSON schema in YAML.
• /poe <command> - Runs any poe command in the CDK environment

📚 Show Repo Guidance

Helpful Resources

• CDK API Reference

📝 Edit this welcome message.

[github-actions]

PyTest Results (Fast)

3 934 tests  ±0   3 922 ✅  - 1   6m 46s ⏱️ -13s
    1 suites ±0      12 💤 +1 
    1 files   ±0       0 ❌ ±0 

Results for commit a8d7c45. ± Comparison against base commit acafc75.

This pull request skips 1 test.

unit_tests.sources.declarative.test_concurrent_declarative_source ‑ test_read_with_concurrent_and_synchronous_streams

[github-actions]

PyTest Results (Full)

3 937 tests  ±0   3 925 ✅ ±0   11m 14s ⏱️ +25s
    1 suites ±0      12 💤 ±0 
    1 files   ±0       0 ❌ ±0 

Results for commit a8d7c45. ± Comparison against base commit acafc75.