chore(deps): bump tornado from 6.5.5 to 6.5.6 in the uv group across 1 directory

[dependabot]

Bumps the uv group with 1 update in the / directory: tornado.

Updates tornado from 6.5.5 to 6.5.6

Changelog

Sourced from tornado's changelog.

Release notes

.. toctree:: :maxdepth: 2

releases/v6.5.7 releases/v6.5.6 releases/v6.5.5 releases/v6.5.4 releases/v6.5.3 releases/v6.5.2 releases/v6.5.1 releases/v6.5.0 releases/v6.4.2 releases/v6.4.1 releases/v6.4.0 releases/v6.3.3 releases/v6.3.2 releases/v6.3.1 releases/v6.3.0 releases/v6.2.0 releases/v6.1.0 releases/v6.0.4 releases/v6.0.3 releases/v6.0.2 releases/v6.0.1 releases/v6.0.0 releases/v5.1.1 releases/v5.1.0 releases/v5.0.2 releases/v5.0.1 releases/v5.0.0 releases/v4.5.3 releases/v4.5.2 releases/v4.5.1 releases/v4.5.0 releases/v4.4.3 releases/v4.4.2 releases/v4.4.1 releases/v4.4.0 releases/v4.3.0 releases/v4.2.1 releases/v4.2.0 releases/v4.1.0 releases/v4.0.2 releases/v4.0.1 releases/v4.0.0 releases/v3.2.2 releases/v3.2.1

... (truncated)

Commits

• aba2569 Merge pull request #3626 from bdarnell/fixes-656
• a24b260 httpclient_test: Accept an additional error message variant
• a74240a Release notes and version bump for 6.5.6.
• e8fc7ed simple_httpclient: Strip auth headers on cross-origin redirects
• 96dc88c speedups: validate mask length
• ff808b3 http1connection: Enforce max_body_size in _GzipMessageDelegate
• ede4e37 auth: Correctly parse check_authentication response
• 1c178be Remove obsolete curl force_timeout workaround
• c99d55b Replace deprecated pycurl IOCTLFUNCTION callback with SEEKFUNCTION
• 2761431 Merge pull request #3587 from bdarnell/fix-link
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Note

Low Risk
Lockfile-only patch dependency update with no SDK source changes; upstream 6.5.6 is security/hardening focused but affects dev/notebook tooling paths, not production client behavior unless you run Tornado directly.

Overview
Updates uv.lock so the resolved tornado package moves from 6.5.5 to 6.5.6 (new sdist/wheel URLs and hashes). Tornado is pulled in transitively (e.g. via jupyter-client / ipykernel), not as a direct Pinecone SDK API dependency.

The 6.5.6 release is a patch bump that includes hardening around HTTP/WebSocket handling (e.g. stripping auth headers on cross-origin redirects, max_body_size enforcement for gzipped bodies, and related fixes noted in upstream release notes).

The lockfile also shows pinecone’s own locked version as 9.1.0 (editable root package metadata); that line is incidental to the Dependabot tornado bump unless your branch intentionally combined version bumps.

^{Reviewed by Cursor Bugbot for commit 7428d64. Bugbot is set up for automated code reviews on this repo. Configure here.}