Bump cryptography from 45.0.7 to 46.0.5#220
Conversation
|
@dependabot rebase |
Bumps [cryptography](https://github.com/pyca/cryptography) from 45.0.7 to 46.0.5. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@45.0.7...46.0.5) --- updated-dependencies: - dependency-name: cryptography dependency-version: 46.0.5 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
9436ed0 to
e67e04a
Compare
rtibblesbot
left a comment
There was a problem hiding this comment.
Dependency Update Review
Package: cryptography 45.0.7 → 46.0.5
Semver risk: Major
Dependency type: Production
CI status: In progress (Build Packages for PRs)
Changelog Analysis
Sources consulted:
- PR body changelog (from dependabot)
- Compare v45.0.7...v46.0.5
- PyPI metadata for cryptography 46.0.5
Breaking changes:
- Python 3.7 support removed (46.0.0) — not an issue, project uses Python 3.10
- cffi dependency bumped to
>=2.0.0on Python ≥3.9 (46.0.1, commit2726efd) — see blocking comment below - Dropped
win_arm64wheels (46.0.4) — unlikely to affect this project
Deprecations:
SECT*binary elliptic curves deprecated (46.0.5) — no direct cryptography imports in project source
Security fixes:
- CVE-2026-26007: Malicious public key could reveal portions of private key when using uncommon binary elliptic curves. Fixed in 46.0.5.
Compatibility Assessment
- Project uses affected APIs: No (cryptography is not directly imported in source)
- Peer dependency changes: Yes — cffi ≥2.0.0 required on Python ≥3.9
- Code changes required: Yes —
cffi==1.14.4pin in setup.py must be updated - Prior failed attempts: No
Recommendation
REQUEST_CHANGES — The cffi==1.14.4 pin in setup.py is incompatible with cryptography 46.0.5 on Python 3.9+. The cffi pin must be bumped to >=2.0.0 (or a specific compatible version) alongside this update. CI will likely fail during pip dependency resolution.
@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly
How was this generated?
Reviewed the pull request diff checking for:
- Correctness: bugs, edge cases, undocumented behavior, resource leaks, hardcoded values
- Design: unnecessary complexity, naming, readability, comment accuracy, redundant state
- Architecture: duplicated concerns, minimal interfaces, composition over inheritance
- Testing: behavior-based assertions, mocks only at hard boundaries, accurate coverage
- Completeness: missing dependencies, unupdated usages, i18n, accessibility, security
- Principles: DRY (same reason to change), SRP, Rule of Three (no premature abstraction)
- Checked CI status and linked issue acceptance criteria
- For UI changes: inspected screenshots for layout, visual completeness, and consistency
| install_requires=[ | ||
| "wxPython==4.2.2", | ||
| "cryptography==45.0.7", | ||
| "cryptography==46.0.5", |
There was a problem hiding this comment.
blocking: cryptography 46.0.5 requires cffi>=2.0.0 on Python ≥3.9 (PyPI metadata). This project uses Python 3.10, but cffi is pinned to 1.14.4 on line 36. pip will fail to resolve these conflicting requirements.
The fix is to also bump the cffi pin — e.g., cffi==1.17.1 (latest 1.x) or cffi==2.0.0 depending on compatibility with wxPython==4.2.2 and the rest of the dependency tree. Since dependabot won't update sibling pins, this likely needs a manual commit on this branch or a separate coordinated PR.
|
Superseded by #228. |
Bumps cryptography from 45.0.7 to 46.0.5.
Changelog
Sourced from cryptography's changelog.
... (truncated)
Commits
06e120ebump version for 46.0.5 release (#14289)0eebb9dEC check key on cofactor > 1 (#14287)bedf6e1fix openssl version on 46 branch (#14220)e6f44fcbump for 46.0.4 and drop win arm64 due to CI issues (#14217)c0af4ddrelease 46.0.3 (#13681)99efe5abump version for 46.0.2 (#13531)e735cfcrelease 46.0.1 (#13450)4e457ffExplicitly specify python in mac uv build invocation (#13447)2726efdDepend on CFFI 2.0.0 or newer on Python > 3.8 (#13448)6223062release 46.0.0 (#13446)You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.