Bump cryptography from 45.0.7 to 48.0.0#243
Conversation
rtibblesbot
left a comment
There was a problem hiding this comment.
Dependency Update Review
Package: cryptography 45.0.7 → 48.0.0
Semver risk: Multi-major (3 major versions)
Dependency type: Production
CI status: Failing — build failures on macOS and Windows (cffi conflict; see inline comment)
Changelog Analysis
Sources consulted:
- PR body (truncated; 46.x and earlier not shown)
Breaking changes (47.0.0–48.0.0):
- Python 3.8 support removed — project uses Python 3.10, unaffected
- Binary elliptic curves (SECT*) removed — no usage in project source
- OpenSSL 1.1.x support removed — wheels bundle OpenSSL 3.x
- LibreSSL < 4.1 dropped
- Key loading now raises
UnsupportedAlgorithminstead ofValueErrorfor unsupported algorithms — no direct usage found in project source - New peer dependency requirement:
cffi>=2.0.0(up fromcffi>=1.12)
Changelog for the 46.x range is truncated in the PR body; no breaking changes found in the visible 47.0.0–48.0.0 entries that affect this project, aside from the cffi requirement.
Compatibility Assessment
- Direct cryptography API usage in project source: none (
from cryptography/import cryptographynot found) - Peer dependency conflict: yes —
cffi>=2.0.0required;setup.pypinscffi==1.14.4 - Python version: 3.10 (satisfies the new 3.9+ minimum)
- Code changes required: yes —
cffipin insetup.pymust be updated alongside this bump
Recommendation
REQUEST_CHANGES — breaking build on both platforms due to cffi version conflict. Once cffi is bumped to a >=2.0.0-compatible pin the remaining changelog changes are low-risk for this project.
@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly
How was this generated?
Reviewed the pull request diff checking for:
- Correctness: bugs, edge cases, undocumented behavior, resource leaks, hardcoded values
- Design: unnecessary complexity, naming, readability, comment accuracy, redundant state
- Architecture: duplicated concerns, minimal interfaces, composition over inheritance
- Testing: behavior-based assertions, mocks only at hard boundaries, accurate coverage
- Completeness: missing dependencies, unupdated usages, i18n, accessibility, security
- Principles: DRY (same reason to change), SRP, Rule of Three (no premature abstraction)
- Checked CI status and linked issue acceptance criteria
- For UI changes: inspected screenshots for layout, visual completeness, and consistency
| install_requires=[ | ||
| "wxPython==4.2.2", | ||
| "cryptography==45.0.7", | ||
| "cryptography==48.0.0", |
There was a problem hiding this comment.
blocking: Both macOS and Windows CI builds fail with a dependency conflict introduced by this bump:
ERROR: Cannot install kolibri-app and kolibri-app==0.5.1 because these package versions have conflicting dependencies.
kolibri-app 0.5.1 depends on cffi==1.14.4
cryptography 48.0.0 depends on cffi>=2.0.0; platform_python_implementation != "PyPy"
cryptography 48.0.0 raised its cffi minimum from >=1.12 to >=2.0.0, which is incompatible with the cffi==1.14.4 pin on line 36. This PR needs a companion bump: update cffi==1.14.4 to a version satisfying cffi>=2.0.0. The two changes should land together.
| install_requires=[ | ||
| "wxPython==4.2.2", | ||
| "cryptography==45.0.7", | ||
| "cryptography==48.0.0", |
There was a problem hiding this comment.
praise: Exact-version pinning (==) for cryptography is the right call for a bundled desktop app — it makes builds fully reproducible and prevents unexpected wheel changes on rebuilds, which matters for a security-critical dependency.
Bumps [cryptography](https://github.com/pyca/cryptography) from 45.0.7 to 48.0.0. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@45.0.7...48.0.0) --- updated-dependencies: - dependency-name: cryptography dependency-version: 48.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
0953a66 to
fb982f2
Compare
rtibblesbot
left a comment
There was a problem hiding this comment.
Prior findings
Unaddressed (re-raised below):
- cffi conflict (blocking) — no reply,
cffi==1.14.4pin unchanged; CI still fails with the same dependency conflict
0/1 prior findings resolved. 1 re-raised below.
CI failing on all three checks (Build EXE, Build DMG, uv-lock lint) — all caused by the same cffi conflict.
- blocking: cffi conflict, re-raised on
pyproject.toml:14(see inline comment)
@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly
How was this generated?
Compared the current PR state against findings from a prior review:
- Retrieved prior bot reviews deterministically via the GitHub API
- Classified each prior finding as RESOLVED, UNADDRESSED, ACKNOWLEDGED, or CONTESTED
- Only raised NEW findings for newly introduced code
- Reviewed the pull request diff checking for correctness, design, architecture, testing, completeness, and adherence to DRY/SRP principles
- Checked CI status and linked issue acceptance criteria
| dependencies = [ | ||
| "wxPython==4.2.2", | ||
| "cryptography==45.0.7", | ||
| "cryptography==48.0.0", |
There was a problem hiding this comment.
blocking: The cffi conflict from round 1 is still present. cryptography==48.0.0 requires cffi>=2.0.0, but line 15 pins cffi==1.14.4. All three CI checks fail with this error:
Because cryptography==48.0.0 depends on cffi>=2.0.0 and your project depends on cffi==1.14.4,
we can conclude that cryptography==48.0.0 and your project are incompatible.
This PR needs a companion bump: update cffi==1.14.4 on line 15 to cffi>=2.0.0 (or a specific compatible version such as cffi==2.0.0). Both changes should land together.
|
Superseded by #262. |
Bumps cryptography from 45.0.7 to 48.0.0.
Changelog
Sourced from cryptography's changelog.
... (truncated)
Commits
8e03e30bump for 48.0.0 release (#14796)295e0d2Add AGENTS.md with CLAUDE.md symlink (#14794)104a2deBump BoringSSL, OpenSSL, AWS-LC in CI (#14793)67ec1e5call check_length early on AesSiv::encrypt (#14792)b2da57achangelog for mldsa/mlkem for openssl (#14791)3cf44adML-KEM OpenSSL support (#14781)2e31639ML-DSA OpenSSL support (#14773)5affe5afix rust nightly clippy (#14790)2e73ca4bump rust-openssl dep and update EcPoint::mul_generator to mul_generator2 (#1...82ebd3bBump BoringSSL, OpenSSL, AWS-LC in CI (#14785)