build(deps): bump bandit from 1.11.0 to 1.11.1

[dependabot]

Bumps bandit from 1.11.0 to 1.11.1.

Changelog

Sourced from bandit's changelog.

1.11.1 (13 May 2026)

Fixes

• Improve handling of large chunked request bodies (CVE-2026-39803, #585, thanks @​PJUllrich & @​maennchen!)
• Improve handling of request trailers (CVE-2026-39806, #585, thanks @​PJUllrich & @​maennchen!)

Changes

• We no longer disallow . and .. path components in HTTP/2 absolute paths (#581)

Commits

• 40a1b8f Version bump to 1.11.1
• 37b84cf Bump ex_doc from 0.40.1 to 0.40.2 (#583)
• 8ff6078 Bump telemetry from 1.4.1 to 1.4.2 (#584)
• ae3520d Improve chunk handling (#585)
• 0f56e10 Stop handling . and .. paths specially (#581)
• See full diff in compare view

[github-actions]

TCK 1.0-dev Compatibility Results (experimental)

This run is informational — failures do not block CI.

             A2A TCK Compatibility Report              
═══════════════════════════════════════════════════════
SUT: http://localhost:9999
Timestamp: 2026-05-20T12:03:22.551155+00:00

OVERALL COMPATIBILITY: 44.8%

┌─────────────┬────────┬────────┬─────────┬───────┐
│ Level       │ Passed │ Failed │ Skipped │ Total │
├─────────────┼────────┼────────┼─────────┼───────┤
│ MUST        │     26 │     53 │      35 │   114 │
│ SHOULD      │      2 │      9 │       0 │    11 │
│ MAY         │      2 │      2 │       0 │     4 │
└─────────────┴────────┴────────┴─────────┴───────┘

BY TRANSPORT:
  agent_card:    8/10 ⚠
  grpc:          0/72 (72 skipped) ✓
  jsonrpc:       28/99 (30 skipped) ⚠
  http_json:     3/83 (80 skipped) ✓

FAILED REQUIREMENTS:
  ✗ CARD-CACHE-002 (agent_card): Agent Card response should include an ETag header
  ✗ CARD-CACHE-003 (agent_card): Agent Card response may include a Last-Modified header
  ✗ DM-ART-001 (jsonrpc): Response contains no artifacts
  ✗ DM-MSG-001 (jsonrpc): Expected a Message response, but got a Task or no payload
  ✗ DM-TASK-001 (jsonrpc): $.task: 'kind' does not match any of the regexes: '^(context_id)$'
  ✗ DM-TASK-002 (jsonrpc): $.task: 'kind' does not match any of the regexes: '^(context_id)$'
  ✗ DM-MSG-002 (jsonrpc): $.task: 'kind' does not match any of the regexes: '^(context_id)$'
  ✗ DM-PART-001 (jsonrpc): $.task: 'kind' does not match any of the regexes: '^(context_id)$'
  ✗ DM-STATUS-001 (jsonrpc): $.task: 'kind' does not match any of the regexes: '^(context_id)$'
  ✗ DM-SERIAL-004 (jsonrpc): $.task: 'kind' does not match any of the regexes: '^(context_id)$'
  ✗ VER-SERVER-002 (jsonrpc): Expected VersionNotSupportedError for A2A-Version: 99.0
  ✗ JSONRPC-SSE-002 (): Error code mismatch: expected ContentTypeNotSupportedError (-32005), got ParseError (-32700)
  ✗ JSONRPC-ERR-003 (): error.data is absent — A2A errors MUST include ErrorInfo in data array
  ✗ CORE-SEND-001 (jsonrpc): $.task: 'kind' does not match any of the regexes: '^(context_id)$'
  ✗ CORE-SEND-003 (jsonrpc): Operation failed: Invalid parameters
  ✗ CORE-LIST-001 (jsonrpc): $.tasks[0]: 'kind' does not match any of the regexes: '^(context_id)$'
  ✗ CORE-LIST-002 (jsonrpc): $.tasks[0]: 'kind' does not match any of the regexes: '^(context_id)$'
  ✗ CORE-LIST-003 (jsonrpc): $.tasks[0]: 'kind' does not match any of the regexes: '^(context_id)$'

[maxekman]

/dependabot rebase