Bump cryptography from 45.0.7 to 46.0.7#230
Conversation
|
@dependabot rebase |
Bumps [cryptography](https://github.com/pyca/cryptography) from 45.0.7 to 46.0.7. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@45.0.7...46.0.7) --- updated-dependencies: - dependency-name: cryptography dependency-version: 46.0.7 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
3edefc0 to
b216b83
Compare
rtibblesbot
left a comment
There was a problem hiding this comment.
Dependency conflict introduced by this bump causes the build to fail.
CI: Previous run failed (dependency conflict, see inline); new run triggered by the rebase is still in progress but the underlying code is unchanged — same outcome expected.
- blocking:
cryptography 46.0.7requirescffi>=2.0.0(Python 3.9+, non-PyPy) butsetup.pypinscffi==1.14.4— see inline - praise: Three high-severity CVEs patched (CVE-2026-39892, CVE-2026-34073, CVE-2026-26007); the security urgency is clear and worth resolving promptly
Dependency Update Review
Package: cryptography 45.0.7 → 46.0.7
Semver risk: Major
Dependency type: production (install_requires)
CI status: Failing — ResolutionImpossible (cffi version conflict)
Changelog Analysis
Sources consulted: PR body (truncated) — full changelog at https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst
Security fixes (all in this range):
- CVE-2026-39892: Buffer overflow via non-contiguous buffers passed to Python buffer APIs (46.0.7)
- CVE-2026-34073: Name constraints not applied to peer names when leaf cert has wildcard DNS SAN (46.0.6)
- CVE-2026-26007: Attacker-crafted public key could reveal portions of private key on binary elliptic curves (46.0.5)
Breaking changes:
cffi>=2.0.0is now required for Python 3.9+ (non-PyPy) — confirmed by pip resolution error in CI logswin_arm64wheels dropped (46.0.4)
Deprecations:
SECT*binary elliptic curves deprecated; removal expected in next major release (46.0.5)
Compatibility Assessment
- Project pins
cffi==1.14.4— conflicts with newcffi>=2.0.0requirement - Code changes required: yes —
cffipin insetup.pymust be updated alongside this bump - No other breaking API changes observed that affect this project
Recommendation
REQUEST_CHANGES — update cffi pin to a version compatible with cryptography 46.x (≥ 2.0.0) before merging. The security fixes make this worth resolving quickly.
@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly
How was this generated?
Reviewed the pull request diff checking for:
- Correctness: bugs, edge cases, undocumented behavior, resource leaks, hardcoded values
- Design: unnecessary complexity, naming, readability, comment accuracy, redundant state
- Architecture: duplicated concerns, minimal interfaces, composition over inheritance
- Testing: behavior-based assertions, mocks only at hard boundaries, accurate coverage
- Completeness: missing dependencies, unupdated usages, i18n, accessibility, security
- Principles: DRY (same reason to change), SRP, Rule of Three (no premature abstraction)
- Checked CI status and linked issue acceptance criteria
- For UI changes: inspected screenshots for layout, visual completeness, and consistency
| install_requires=[ | ||
| "wxPython==4.2.2", | ||
| "cryptography==45.0.7", | ||
| "cryptography==46.0.7", |
There was a problem hiding this comment.
blocking: cryptography 46.0.7 now requires cffi>=2.0.0 for Python 3.9+ (non-PyPy), but this project pins cffi==1.14.4 three lines below. CI confirms this:
The conflict is caused by:
kolibri-app 0.4.5 depends on cffi==1.14.4
cryptography 46.0.7 depends on cffi>=2.0.0; python_full_version >= "3.9" and platform_python_implementation != "PyPy"
This PR needs to also update the cffi pin to a compatible version (≥ 2.0.0). Check whether cffi 2.x introduces any breaking changes for the project before pinning a specific version.
Bumps cryptography from 45.0.7 to 46.0.7.
Changelog
Sourced from cryptography's changelog.
... (truncated)
Commits
622d67246.0.7 release (#14602)91d7288Cherry-pick #14542 (#14543)06e120ebump version for 46.0.5 release (#14289)0eebb9dEC check key on cofactor > 1 (#14287)bedf6e1fix openssl version on 46 branch (#14220)e6f44fcbump for 46.0.4 and drop win arm64 due to CI issues (#14217)c0af4ddrelease 46.0.3 (#13681)99efe5abump version for 46.0.2 (#13531)e735cfcrelease 46.0.1 (#13450)4e457ffExplicitly specify python in mac uv build invocation (#13447)