chore: update uv.lock for 6 dependabot dependency bumps

Selectively upgraded:
- black 25.1.0 -> 26.3.1 (dev/lint)
- filelock 3.18.0 -> 3.25.2 (transitive, dev)
- pygments 2.19.2 -> 2.20.0 (transitive)
- pyjwt 2.10.1 -> 2.12.1 (runtime)
- requests 2.32.4 -> 2.33.1 (runtime, CVE-2026-25645)
- virtualenv 20.32.0 -> 21.2.1 (transitive, dev)

Addresses #3961, #3959, #3957, #3956, #3949, #3947.
urllib3 v2 (#3948) skipped: blocked by selenium<4 pin.

Author: jstvz