Skip to content

chore(deps): bump cryptography from 45.0.7 to 49.0.0#262

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/cryptography-49.0.0
Open

chore(deps): bump cryptography from 45.0.7 to 49.0.0#262
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/cryptography-49.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps cryptography from 45.0.7 to 49.0.0.

Changelog

Sourced from cryptography's changelog.

49.0.0 - 2026-06-12


* **BACKWARDS INCOMPATIBLE:** Support for ``x86_64`` macOS has been removed.
  We now only publish ``arm64`` wheels for macOS.
* **BACKWARDS INCOMPATIBLE:** Support for 32-bit Windows has been removed.
  Users should move to a 64-bit Python installation.
* **BACKWARDS INCOMPATIBLE:** Removed the deprecated
  ``PUBLIC_KEY_TYPES``, ``PRIVATE_KEY_TYPES``,
  ``CERTIFICATE_PRIVATE_KEY_TYPES``, ``CERTIFICATE_ISSUER_PUBLIC_KEY_TYPES``,
  and ``CERTIFICATE_PUBLIC_KEY_TYPES`` type aliases. Use
  ``PublicKeyTypes``, ``PrivateKeyTypes``, ``CertificateIssuerPrivateKeyTypes``,
  ``CertificateIssuerPublicKeyTypes``, and ``CertificatePublicKeyTypes``
  instead. These were deprecated in version 40.0.
* **BACKWARDS INCOMPATIBLE:** :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20`
  now treats the first 4 bytes of the ``nonce`` as a 32-bit little-endian block
  counter (as defined in :rfc:`7539`) and tracks the number of bytes processed.
  Attempting to encrypt or decrypt more data than the counter allows before it
  would overflow now raises a :class:`ValueError` rather than silently diverging
  from RFC 7539. Setting the counter portion of the ``nonce`` to zero allows
  encrypting up to 256 GiB with a given nonce.
* **BACKWARDS INCOMPATIBLE:** Loading an X.509 certificate whose ECDSA or DSA
  signature ``AlgorithmIdentifier`` contains encoded NULL parameters now raises
  a :class:`ValueError`. Such certificates are invalid, but older versions of
  Java emitted them; previously they loaded with a deprecation warning.
* Fixed cross-compilation of the CFFI bindings when ``PYO3_CROSS_LIB_DIR``
  is set. The build now derives the Python include directory from
  ``PYO3_CROSS_LIB_DIR`` instead of querying the host interpreter, which
  previously caused the build to fail during cross-compilations for embedded
  systems, on hosts which have same-version Python development headers
  installed as the target Python.
* Added support for signing and verifying X.509 certificates, certificate
  signing requests, and certificate revocation lists with
  :doc:`/hazmat/primitives/asymmetric/mldsa` keys, as well as loading
  certificates that contain ML-DSA public keys.
* Added :meth:`~cryptography.hazmat.primitives.hpke.KEM.enc_length` to
  :class:`~cryptography.hazmat.primitives.hpke.KEM` so callers can split the
  encapsulated key from the ciphertext returned by
  :meth:`~cryptography.hazmat.primitives.hpke.Suite.encrypt`.
* :meth:`~cryptography.x509.verification.ExtensionPolicy.require_present`,
  :meth:`~cryptography.x509.verification.ExtensionPolicy.may_be_present`, and
  :meth:`~cryptography.x509.verification.ExtensionPolicy.require_not_present`
  now accept any extension type. Previously only a fixed set of extension
  types was supported, which made it impossible to account for otherwise
  unrecognized critical extensions during path validation.
* Added support for using :class:`~cryptography.x509.Certificate`,
  :class:`~cryptography.x509.CertificateSigningRequest`, and
  :class:`~cryptography.x509.CertificateRevocationList` as field types in
  :doc:`/hazmat/asn1/index` structures.
* Added :func:`~cryptography.hazmat.asn1.value_set`, a class decorator that
</tr></table> 

... (truncated)

Commits
  • e300bbe bump version and changelog for 49.0.0 (#15030)
  • fa74cd8 Add external mu (message representative) support for ML-DSA (#14979)
  • f594db3 chore(deps): bump openssl from 0.10.80 to 0.10.81 (#15029)
  • 608e011 chore(deps): bump openssl-sys from 0.9.116 to 0.9.117 (#15028)
  • a322bc4 chore(deps): bump cc from 1.2.63 to 1.2.64 (#15027)
  • 33181a7 Reject critical nameConstraints extensions containing directoryName constrain...
  • 6080dc7 Bump dependencies that dependabot isn't (#15026)
  • 121faa3 chore(deps): bump virtualenv from 21.4.2 to 21.4.3 (#15023)
  • 829520b Add more robust processing for DH parameters. (#15016)
  • 0f05001 Bump downstream dependencies in CI (#15025)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [cryptography](https://github.com/pyca/cryptography) from 45.0.7 to 49.0.0.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@45.0.7...49.0.0)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 49.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Jul 1, 2026

@rtibblesbot rtibblesbot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Babel 7→8 major bump (4 packages, mixed prod/dev) — breaks the build. CI failing.

  • Packages: @babel/core 7.29.7→8.0.1, @babel/preset-env 7.29.7→8.0.2, @babel/plugin-transform-runtime 7.29.7→8.0.1, @babel/runtime 7.29.7→8.0.0
  • Semver risk: Major
  • Dependency type: Mixed — @babel/runtime is a production dependency (kolibri/plugins/media_player/package.json); the rest are build/dev tooling
  • Breaking change: Babel 8 fully removed preset-env's useBuiltIns option (babel/babel#18079). Three in-repo configs still set it — kolibri/core/buildConfig.js:29, packages/kolibri-jest-config/jest.conf/babel.config.js:6, packages/kolibri-sandbox/babel.config.js:7 — none touched by this manifest/lockfile-only PR. Per the migration guide, these need babel-plugin-polyfill-corejs3 in place of useBuiltIns.
  • Security fixes: none noted
  • CI status: Failing — confirmed as a direct consequence of the above: Kolibri Build Assets for Pull Request errors with The 'useBuiltIns' option has been removed, and Javascript Tests fails identically, taking down all 262 Jest suites (0 tests run).

Blocking — this needs the config migration alongside the bump before it can merge.


@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly

How was this generated?

Ran a dependency-update review pipeline over the version bump:

  • Classified the bump by semver (patch / minor / major) and dependency type (production vs. development)
  • Extracted the changelog and release notes across the version range
  • Assessed compatibility with this project's usage and whether any code changes are required
  • Treated CI as the primary safety net
  • Scaled the review depth to the update's risk
  • Chose the verdict from semver risk, changelog findings, and CI status

Comment thread pyproject.toml
"wxPython==4.2.2",
"cryptography==45.0.7",
"cryptography==49.0.0",
"cffi==1.14.4",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

blocking: Bump exclude-newer (pyproject.toml:46) past 2026-06-12, or add an exclude-newer-package override for cryptography, to unblock resolution.

@rtibblesbot

Copy link
Copy Markdown
Contributor

Correction: the review just posted above (referencing a Babel dependency bump) was generated in error due to a tooling malfunction and does not apply to this PR. Please disregard it — the correct review of this cryptography bump follows below.

@rtibblesbot rtibblesbot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependency bump: cryptography 45.0.7 → 49.0.0 (production dependency, pyproject.toml). Multi-major jump (45→49).

  • CI: failing on all 3 checks (Build EXE, Build DMG, All file linting), same root cause everywhere — the version bump is not the culprit. pyproject.toml's tool.uv.exclude-newer = "2026-06-03T00:00:00Z" (line 46) predates cryptography 49.0.0's publish date (2026-06-12), so uv refuses to resolve it: "cryptography was filtered by exclude-newer to only include packages uploaded before 2026-06-03T00:00:00Z." See inline comment.
  • Breaking changes in 49.0.0 (per release notes, to revisit once resolvable):
    • Drops x86_64 macOS wheels (arm64-only) and 32-bit Windows wheels.
    • Removes deprecated type aliases (PUBLIC_KEY_TYPES etc., deprecated since 40.0).
    • ChaCha20 now raises on 32-bit nonce counter overflow instead of silently diverging.
    • X.509 certs with NULL-encoded ECDSA/DSA signature params now raise ValueError on load instead of warning.
    • No security fixes called out beyond routine deprecation removal.
  • Compatibility: no direct cryptography imports found in src/ — it's a transitive/build-chain dependency, so these API removals are unlikely to touch this project's own code.
  • A lower-risk dependabot/pip/cryptography-46.0.7 branch already exists if 49.0.0 continues to cause resolver friction.

@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly

How was this generated?

Ran a dependency-update review pipeline over the version bump:

  • Classified the bump by semver (patch / minor / major) and dependency type (production vs. development)
  • Extracted the changelog and release notes across the version range
  • Assessed compatibility with this project's usage and whether any code changes are required
  • Treated CI as the primary safety net
  • Scaled the review depth to the update's risk
  • Chose the verdict from semver risk, changelog findings, and CI status

Comment thread pyproject.toml
"wxPython==4.2.2",
"cryptography==45.0.7",
"cryptography==49.0.0",
"cffi==1.14.4",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

blocking: Bump exclude-newer (pyproject.toml:46) past 2026-06-12, or add an exclude-newer-package override for cryptography, to unblock resolution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant