build(deps): Bump cbor2 from 5.8.0 to 5.9.0

[dependabot]

Bumps cbor2 from 5.8.0 to 5.9.0.

Release notes

Sourced from cbor2's releases.

5.9.0

• Added the max_depth decoder parameter to limit the maximum allowed nesting level of containers, with a default value of 400 levels (CVE-2026-26209)
• Changed the default read_size from 4096 to 1 for backwards compatibility. The buffered reads introduced in 5.8.0 could cause issues when code needs to access the stream position after decoding. Users can opt-in to faster decoding by passing read_size=4096 when they don't need to access the stream directly after decoding. Added a direct read path for read_size=1 to avoid buffer management overhead. (#275; PR by @​andreer)
• Fixed C encoder not respecting string referencing when encoding string-type datetimes (tag 0) (#254)
• Fixed a missed check for an exception in the C implementation of CBOREncoder.encode_shared() (#287)
• Fixed two reference/memory leaks in the C extension's long string decoder (#290 PR by @​killiancowan82)
• Fixed C decoder ignoring the str_errors setting when decoding strings, and improved string decoding performance by using stack allocation for small strings and eliminating unnecessary conditionals. Benchmarks show 9-17% faster deserialization. (#255; PR by @​andreer)

Commits

• 93c5988 Bumped up the version
• d903d62 Updated the max_depth default value in the C function signature
• 2b53b28 Stack allocate small strings (#270)
• a7ac10d Upped the max_depth value to 400
• 54c8ed5 Fixed reference/memory leaks in decode_definite_long_string (#290)
• a8d92dc [pre-commit.ci] pre-commit autoupdate (#289)
• c91aa00 [pre-commit.ci] pre-commit autoupdate (#288)
• 53521e7 Fixed ssize_t to Py_ssize_t
• 94e0d21 Added missing Python counterpart for max_depth
• bcb6cea Added the max_depth decoder parameter
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.