Summary
presidio-anonymizer==2.2.363 declares:
cryptography (>=46.0.4,<47.0.0)
All cryptography releases below 48.0.1 are affected by GHSA-537c-gmf6-5ccf (HIGH — vulnerable OpenSSL statically linked into the wheels; affected range >=0.5.0, <48.0.1, first patched version 48.0.1).
Because the <47.0.0 cap excludes the entire patched line, any environment that installs presidio-anonymizer alongside other packages sharing cryptography (web/auth stacks, etc.) gets the whole dependency closure resolved down from 48.0.1 to 46.0.7 — which then fails blocking pip-audit / OSV CVE gates. In practice this makes 2.2.363 unadoptable in environments that enforce vulnerability gates, without unsafe overrides.
Request
Raise the upper bound so the patched cryptography line is installable, e.g.:
cryptography (>=48.0.1,<49.0.0)
or, if you prefer keeping the wider floor:
cryptography (>=46.0.4,<49.0.0)
I understand the upper caps are deliberate defensive version ranges (#1965), so this is a request to bump the cap within that policy, not to remove it. Note cryptography 48.x removed some long-deprecated APIs, so a CI run against 48.0.1 is worth doing as part of the bump — but the anonymizer's AES/encrypt-decrypt usage should be on stable API surface.
Precedent
Same situation as #1839 (cap <44.1 blocked the CVE-2025-15467 fix), resolved quickly by #1841. This is the recurring failure mode of capping a security-critical dependency: every cryptography CVE fixed only above the cap makes the current presidio-anonymizer release conflict with security gates until a new release relaxes the range.
Environment
- presidio-anonymizer 2.2.363 (PyPI)
- Python 3.13, uv-resolved lockfile, hash-pinned
- cryptography 48.0.1 required elsewhere in the closure (auth/web stack) and by the GHSA fix
Thanks — and thanks for the smooth org transition; maintainer continuity and the transition notice were much appreciated when we reviewed the move.
Summary
presidio-anonymizer==2.2.363declares:All
cryptographyreleases below 48.0.1 are affected by GHSA-537c-gmf6-5ccf (HIGH — vulnerable OpenSSL statically linked into the wheels; affected range>=0.5.0, <48.0.1, first patched version48.0.1).Because the
<47.0.0cap excludes the entire patched line, any environment that installspresidio-anonymizeralongside other packages sharingcryptography(web/auth stacks, etc.) gets the whole dependency closure resolved down from 48.0.1 to 46.0.7 — which then fails blockingpip-audit/ OSV CVE gates. In practice this makes 2.2.363 unadoptable in environments that enforce vulnerability gates, without unsafe overrides.Request
Raise the upper bound so the patched cryptography line is installable, e.g.:
or, if you prefer keeping the wider floor:
I understand the upper caps are deliberate defensive version ranges (#1965), so this is a request to bump the cap within that policy, not to remove it. Note cryptography 48.x removed some long-deprecated APIs, so a CI run against 48.0.1 is worth doing as part of the bump — but the anonymizer's AES/encrypt-decrypt usage should be on stable API surface.
Precedent
Same situation as #1839 (cap
<44.1blocked the CVE-2025-15467 fix), resolved quickly by #1841. This is the recurring failure mode of capping a security-critical dependency: every cryptography CVE fixed only above the cap makes the current presidio-anonymizer release conflict with security gates until a new release relaxes the range.Environment
Thanks — and thanks for the smooth org transition; maintainer continuity and the transition notice were much appreciated when we reviewed the move.