feat: add CVE vulnerability checks with pip-audit

[sam-s10s]

This test is a simple check using pip-audit to audit the imported packages for any CVE vulnerabilities and report them in the output. If there are any vulnerabilities found, then this should be caught during CI builds and shown as an error.

Initial tests show this to flag certain packages (output below), which have not been addressed so that we can discuss this during the course of this MR being considered.

Note: I suspect some of these packages are from other packages and not directly part of the SDK, so we may need to consider the impact this has.

tests/test_cve.py:71: in test_no_known_cve_vulnerabilities
    assert not affected_packages, report
E   AssertionError: Found 13 known CVE(s) in 5 package(s).
E
E     REPORT
E     ------------------------------------------------------------
E       aiohttp==3.13.2  (8 CVE(s))
E         - CVE-2025-69223  fix: 3.13.3
E           https://nvd.nist.gov/vuln/detail/CVE-2025-69223
E           ### Summary A zip bomb can be used to execute a DoS against the aiohttp server.  ### Impact An attacker may be able to s
E         - CVE-2025-69224  fix: 3.13.3
E           https://nvd.nist.gov/vuln/detail/CVE-2025-69224
E           ### Summary The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters.  ###
E         - CVE-2025-69228  fix: 3.13.3
E           https://nvd.nist.gov/vuln/detail/CVE-2025-69228
E           ### Summary A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during proces
E         - CVE-2025-69229  fix: 3.13.3
E           https://nvd.nist.gov/vuln/detail/CVE-2025-69229
E           ### Summary  Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of ch
E         - CVE-2025-69230  fix: 3.13.3
E           https://nvd.nist.gov/vuln/detail/CVE-2025-69230
E           ### Summary Reading multiple invalid cookies can lead to a logging storm.  ### Impact If the ``cookies`` attribute is ac
E         - CVE-2025-69226  fix: 3.13.3
E           https://nvd.nist.gov/vuln/detail/CVE-2025-69226
E           ### Summary Path normalization for static files prevents path traversal, but opens up the ability for an attacker to asc
E         - CVE-2025-69227  fix: 3.13.3
E           https://nvd.nist.gov/vuln/detail/CVE-2025-69227
E           ### Summary When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a
E         - CVE-2025-69225  fix: 3.13.3
E           https://nvd.nist.gov/vuln/detail/CVE-2025-69225
E           ### Summary  The parser allows non-ASCII decimals to be present in the Range header.  ### Impact  There is no known impa
E
E       filelock==3.20.0  (2 CVE(s))
E         - CVE-2025-68146  fix: 3.20.1
E           https://nvd.nist.gov/vuln/detail/CVE-2025-68146
E           ### Impact  A Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary
E         - CVE-2026-22701  fix: 3.20.3
E           https://nvd.nist.gov/vuln/detail/CVE-2026-22701
E           ## Vulnerability Summary  **Title:** Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock  **Affecte
E
E       protobuf==6.33.2  (1 CVE(s))
E         - CVE-2026-0994  fix: 5.29.6, 6.33.5
E           https://nvd.nist.gov/vuln/detail/CVE-2026-0994
E           A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recur
E
E       urllib3==2.6.2  (1 CVE(s))
E         - CVE-2026-21441  fix: 2.6.3
E           https://nvd.nist.gov/vuln/detail/CVE-2026-21441
E           ### Impact  urllib3's [streaming API](https://urllib3.readthedocs.io/en/2.6.2/advanced-usage.html#streaming-and-i-o) is
E
E       virtualenv==20.35.4  (1 CVE(s))
E         - CVE-2026-22702  fix: 20.36.1
E           https://nvd.nist.gov/vuln/detail/CVE-2026-22702
E           ## Impact  TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in `virtualenv` allow local attackers to perform symlink-b
E
E     ACTION REQUIRED
E     ------------------------------------------------------------
E       pip install --upgrade aiohttp>=3.13.3
E       pip install --upgrade filelock>=3.20.3
E       pip install --upgrade protobuf>=6.33.5
E       pip install --upgrade urllib3>=2.6.3
E       pip install --upgrade virtualenv>=20.36.1
E   assert not {'aiohttp': {'fix_versions': {'3.13.3'}, 'version': '3.13.2', 'vulns': [{'aliases': ['GHSA-6mq8-rvhq-8wgg'], 'descript...setting `redirect=False` for requests to untrusted source.", 'fix_versions': ['2.6.3'], 'id': 'CVE-2026-21441'}]}, ...}