fix: bump black and django to resolve dependabot security alerts

[jonathannorris]

Summary

• Bump black from ~=25.1.0 to ~=26.3.1 to fix CVE-2026-32274 (arbitrary file writes from unsanitized cache file name)
• Bump django minimum from >= 4.2 to >= 4.2.29 to fix CVE-2026-25673 (uncontrolled resource consumption) and CVE-2026-25674 (race condition)
• Split lint/format deps (black, mypy, ruff) into a new requirements.lint.txt since black >= 26.3.1 requires Python 3.10+ and unit tests run on 3.9

Resolves all 3 open Dependabot alerts.

Changes

File	Change
requirements.test.txt	Remove lint deps (black, mypy, ruff) — test-only deps remain
requirements.lint.txt	New file with lint/format deps requiring Python 3.10+
.github/workflows/lint.yml	Use requirements.lint.txt instead of requirements.test.txt
example/django-app/requirements.txt	Bump django >= 4.2 to >= 4.2.29

[Copilot]

Pull request overview

Updates Python dependency pins to address Dependabot-reported security vulnerabilities in the repo’s formatting/tooling and the example Django app.

Changes:

• Bump black in requirements.test.txt to ~=26.3.1.
• Bump django minimum in the example app to >=4.2.29.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
requirements.test.txt	Updates the formatter version used by CI/dev tooling to remediate a reported Black CVE.
example/django-app/requirements.txt	Raises the example app’s Django minimum version to include patched releases for reported CVEs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.