chore: bump sqlfluff to 4.1.0

[mckornfield]

📋 Summary

• Bumps to a newer version of sqlfluff to avoid a CVE

🧪 Testing

• make test passes
• Unit tests added/updated
• E2E tests added/updated (if applicable)

✅ Checklist

• Follows commit message conventions
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)

[github-actions]

Linked Issue Check

This PR does not reference an issue. External contributions must link to
a triaged issue before the PR can be merged.

Add one of the following to your PR description:

• Fixes #<issue-number>
• Closes #<issue-number>
• Resolves #<issue-number>

If no issue exists yet, open one
and a maintainer will triage it.

See CONTRIBUTING.md
for details.

[github-actions]

All contributors have signed the DCO ✍️ ✅
_{Posted by the DCO Assistant Lite bot.}

[mckornfield]

I have read the DCO document and I hereby sign the DCO.

[greptile-apps]

Greptile Summary

This PR bumps sqlfluff from >=3.2.0,<4 (locked at 3.5.0) to >=4.1.0,<5 (locked at 4.2.1) to address a CVE. This is a major version upgrade, though sqlfluff is used as a linter tool rather than a library API, so breaking changes are limited to SQL rule/dialect behavior rather than Python API surface.

• pyproject.toml: version constraint updated from >=3.2.0,<4 to >=4.1.0,<5.
• uv.lock: locked version advances to 4.2.1; pytest is no longer listed as a runtime dependency of sqlfluff (it was an incorrect upstream dependency that was cleaned up in 4.x).

Confidence Score: 5/5

Safe to merge — this is a targeted dependency version bump with no logic changes.

The change is limited to advancing sqlfluff from 3.5.0 to 4.2.1. sqlfluff is used as a linter tool, so a major version bump affects SQL lint rules rather than any Python API the codebase calls directly. The lock file is consistent with the new constraint, and the incidental removal of pytest from sqlfluff's own runtime dependencies is an upstream cleanup with no impact here.

No files require special attention.

Important Files Changed

Filename	Overview
packages/data-designer-engine/pyproject.toml	Updates sqlfluff version constraint from >=3.2.0,<4 to >=4.1.0,<5, a major version bump driven by a CVE fix.
uv.lock	Locks sqlfluff to 4.2.1 (up from 3.5.0); also removes pytest from sqlfluff's runtime dependency list, which was an incorrect upstream dependency that has been cleaned up in 4.x.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[data-designer-engine] -->|before: >=3.2.0,<4\nlocked: 3.5.0| B[sqlfluff 3.5.0]
    A -->|after: >=4.1.0,<5\nlocked: 4.2.1| C[sqlfluff 4.2.1]
    B --> D[pytest runtime dep]
    C --> E[pytest dep removed]
    C --> F[CVE resolved]

Loading

_{Reviews (1): Last reviewed commit: "chore: bump sqlfluff to 4.1.0" | Re-trigger Greptile}