chore(deps): bump cryptography from 45.0.7 to 49.0.0#262
chore(deps): bump cryptography from 45.0.7 to 49.0.0#262dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [cryptography](https://github.com/pyca/cryptography) from 45.0.7 to 49.0.0. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@45.0.7...49.0.0) --- updated-dependencies: - dependency-name: cryptography dependency-version: 49.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
rtibblesbot
left a comment
There was a problem hiding this comment.
Babel 7→8 major bump (4 packages, mixed prod/dev) — breaks the build. CI failing.
- Packages:
@babel/core7.29.7→8.0.1,@babel/preset-env7.29.7→8.0.2,@babel/plugin-transform-runtime7.29.7→8.0.1,@babel/runtime7.29.7→8.0.0 - Semver risk: Major
- Dependency type: Mixed —
@babel/runtimeis a production dependency (kolibri/plugins/media_player/package.json); the rest are build/dev tooling - Breaking change: Babel 8 fully removed
preset-env'suseBuiltInsoption (babel/babel#18079). Three in-repo configs still set it —kolibri/core/buildConfig.js:29,packages/kolibri-jest-config/jest.conf/babel.config.js:6,packages/kolibri-sandbox/babel.config.js:7— none touched by this manifest/lockfile-only PR. Per the migration guide, these needbabel-plugin-polyfill-corejs3in place ofuseBuiltIns. - Security fixes: none noted
- CI status: Failing — confirmed as a direct consequence of the above:
Kolibri Build Assets for Pull Requesterrors withThe 'useBuiltIns' option has been removed, andJavascript Testsfails identically, taking down all 262 Jest suites (0 tests run).
Blocking — this needs the config migration alongside the bump before it can merge.
@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly
How was this generated?
Ran a dependency-update review pipeline over the version bump:
- Classified the bump by semver (patch / minor / major) and dependency type (production vs. development)
- Extracted the changelog and release notes across the version range
- Assessed compatibility with this project's usage and whether any code changes are required
- Treated CI as the primary safety net
- Scaled the review depth to the update's risk
- Chose the verdict from semver risk, changelog findings, and CI status
| "wxPython==4.2.2", | ||
| "cryptography==45.0.7", | ||
| "cryptography==49.0.0", | ||
| "cffi==1.14.4", |
There was a problem hiding this comment.
blocking: Bump exclude-newer (pyproject.toml:46) past 2026-06-12, or add an exclude-newer-package override for cryptography, to unblock resolution.
|
Correction: the review just posted above (referencing a Babel dependency bump) was generated in error due to a tooling malfunction and does not apply to this PR. Please disregard it — the correct review of this |
rtibblesbot
left a comment
There was a problem hiding this comment.
Dependency bump: cryptography 45.0.7 → 49.0.0 (production dependency, pyproject.toml). Multi-major jump (45→49).
- CI: failing on all 3 checks (Build EXE, Build DMG, All file linting), same root cause everywhere — the version bump is not the culprit.
pyproject.toml'stool.uv.exclude-newer = "2026-06-03T00:00:00Z"(line 46) predatescryptography49.0.0's publish date (2026-06-12), souvrefuses to resolve it: "cryptography was filtered by exclude-newer to only include packages uploaded before 2026-06-03T00:00:00Z." See inline comment. - Breaking changes in 49.0.0 (per release notes, to revisit once resolvable):
- Drops
x86_64macOS wheels (arm64-only) and 32-bit Windows wheels. - Removes deprecated type aliases (
PUBLIC_KEY_TYPESetc., deprecated since 40.0). ChaCha20now raises on 32-bit nonce counter overflow instead of silently diverging.- X.509 certs with NULL-encoded ECDSA/DSA signature params now raise
ValueErroron load instead of warning. - No security fixes called out beyond routine deprecation removal.
- Drops
- Compatibility: no direct
cryptographyimports found insrc/— it's a transitive/build-chain dependency, so these API removals are unlikely to touch this project's own code. - A lower-risk
dependabot/pip/cryptography-46.0.7branch already exists if 49.0.0 continues to cause resolver friction.
@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly
How was this generated?
Ran a dependency-update review pipeline over the version bump:
- Classified the bump by semver (patch / minor / major) and dependency type (production vs. development)
- Extracted the changelog and release notes across the version range
- Assessed compatibility with this project's usage and whether any code changes are required
- Treated CI as the primary safety net
- Scaled the review depth to the update's risk
- Chose the verdict from semver risk, changelog findings, and CI status
| "wxPython==4.2.2", | ||
| "cryptography==45.0.7", | ||
| "cryptography==49.0.0", | ||
| "cffi==1.14.4", |
There was a problem hiding this comment.
blocking: Bump exclude-newer (pyproject.toml:46) past 2026-06-12, or add an exclude-newer-package override for cryptography, to unblock resolution.
Bumps cryptography from 45.0.7 to 49.0.0.
Changelog
Sourced from cryptography's changelog.
... (truncated)
Commits
e300bbebump version and changelog for 49.0.0 (#15030)fa74cd8Add external mu (message representative) support for ML-DSA (#14979)f594db3chore(deps): bump openssl from 0.10.80 to 0.10.81 (#15029)608e011chore(deps): bump openssl-sys from 0.9.116 to 0.9.117 (#15028)a322bc4chore(deps): bump cc from 1.2.63 to 1.2.64 (#15027)33181a7Reject critical nameConstraints extensions containing directoryName constrain...6080dc7Bump dependencies that dependabot isn't (#15026)121faa3chore(deps): bump virtualenv from 21.4.2 to 21.4.3 (#15023)829520bAdd more robust processing for DH parameters. (#15016)0f05001Bump downstream dependencies in CI (#15025)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)