Add affected range to GHSA-434r-7c99-hwf3 (nanobot-ai)

[faketut]

Improves GHSA-434r-7c99-hwf3 (CVE-2026-49138).

Change

Populate the empty affected block with the PyPI package and patched version.

"affected": [
  {
    "package": {
      "ecosystem": "PyPI",
      "name": "nanobot-ai"
    },
    "ranges": [
      {
        "type": "ECOSYSTEM",
        "events": [
          { "introduced": "0" },
          { "fixed": "0.2.1" }
        ]
      }
    ]
  }
]

Note on the name mismatch: the GitHub repository is HKUDS/nanobot, but the project is published on PyPI as nanobot-ai (the README / install instructions say pip install nanobot-ai).

Sources

All evidence is already present in the advisory references:

• Vulnerable details: "Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the web_fetch tool…"
• Fix commit: HKUDS/nanobot@545294c
• Fix PR: [security] fix(web): validate redirect targets before fetching HKUDS/nanobot#3928
• Release tag: https://github.com/HKUDS/nanobot/releases/tag/v0.2.1
• PyPI distribution: https://pypi.org/project/nanobot-ai/
• CWE-918 / SSRF via redirect following in httpx

JSON validated with python3 -m json.tool.