Skip to content

presidio-anonymizer 2.2.363: cryptography<47.0.0 upper bound forces downgrade to wheels with vulnerable OpenSSL (GHSA-537c-gmf6-5ccf, fixed only in 48.0.1) #2143

Description

@rickgoud

Summary

presidio-anonymizer==2.2.363 declares:

cryptography (>=46.0.4,<47.0.0)

All cryptography releases below 48.0.1 are affected by GHSA-537c-gmf6-5ccf (HIGH — vulnerable OpenSSL statically linked into the wheels; affected range >=0.5.0, <48.0.1, first patched version 48.0.1).

Because the <47.0.0 cap excludes the entire patched line, any environment that installs presidio-anonymizer alongside other packages sharing cryptography (web/auth stacks, etc.) gets the whole dependency closure resolved down from 48.0.1 to 46.0.7 — which then fails blocking pip-audit / OSV CVE gates. In practice this makes 2.2.363 unadoptable in environments that enforce vulnerability gates, without unsafe overrides.

Request

Raise the upper bound so the patched cryptography line is installable, e.g.:

cryptography (>=48.0.1,<49.0.0)

or, if you prefer keeping the wider floor:

cryptography (>=46.0.4,<49.0.0)

I understand the upper caps are deliberate defensive version ranges (#1965), so this is a request to bump the cap within that policy, not to remove it. Note cryptography 48.x removed some long-deprecated APIs, so a CI run against 48.0.1 is worth doing as part of the bump — but the anonymizer's AES/encrypt-decrypt usage should be on stable API surface.

Precedent

Same situation as #1839 (cap <44.1 blocked the CVE-2025-15467 fix), resolved quickly by #1841. This is the recurring failure mode of capping a security-critical dependency: every cryptography CVE fixed only above the cap makes the current presidio-anonymizer release conflict with security gates until a new release relaxes the range.

Environment

  • presidio-anonymizer 2.2.363 (PyPI)
  • Python 3.13, uv-resolved lockfile, hash-pinned
  • cryptography 48.0.1 required elsewhere in the closure (auth/web stack) and by the GHSA fix

Thanks — and thanks for the smooth org transition; maintainer continuity and the transition notice were much appreciated when we reviewed the move.

Metadata

Metadata

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions