Address license scanning failures

[jpower432]

Issue description / feature objectives

Issues with dependency license scans were found when running a snyk scan:

MPL-2.0 license in pathspec@0.12.1
LGPL-3.0 license in paramiko@3.5.0
MPL-2.0 license in certifi@2025.4.26

Allowed licenses are in the CNCF Allowlist License policy

Caveats / Assumptions

• Some of these dependencies are transitive, so the direct dependencies that imports it might need to be looked at for replacement.

You can use the follow to generare the requirements file being scanned by snyk

 pipx install pip-tools
 pip-compile pyproject.toml -o requirements.txt

Completion Criteria

• A passing snyk scan on ci: add snyk license scanning to PR CI workflow #1878

[jpower432]

cc @degenaro @vikas-agarwal76

[degenaro]

I added this as a potential slam issue.

[aishwarya-mathew]

Hi @degenaro, could you please assign this to me? Thanks!

[degenaro]

Hi @aishwarya-mathew, you are assigned! Thanks for taking on this issue. This is an important issue to resolve. Please update this issue with status from time to time. It's perfectly fine to solve this issue partially, for example finding a replacement for 1 of the 3 flagged dependencies. Please do consult with us here or in slack concerning viable alternatives to the flagged dependencies. Some concerns about replacements are: license, sub-dependencies, origin, security, staleness, popularity, quality...

[degenaro]

Hi @aishwarya-mathew . Would you please update this issue with status? Or please contact me via direct message on slack. Or please join us on Thus at 11 ET at https://teams.microsoft.com/l/meetup-join/19%3ameeting_NTgwMWI4ZGMtZmYzYy00NjE1LTgyZmEtOWJiNDliNGM4ZGZj%40thread.v2/0?context=%7b%22Tid%22%3a%22fcf67057-50c9-4ad4-98f3-ffca64add9e9%22%2c%22Oid%22%3a%22e20eecde-e24a-4e0f-a1c9-129099f4a586%22%7d . Or suggest another time to meet. Thx!