Bump cryptography from 46.0.7 to 47.0.0

[dependabot]

Bumps cryptography from 46.0.7 to 47.0.0.

Changelog

Sourced from cryptography's changelog.

47.0.0 - 2026-04-24

* Support for Python 3.8 is deprecated and will be removed in the next
  ``cryptography`` release.
* **BACKWARDS INCOMPATIBLE:** Support for binary elliptic curves
  (``SECT*`` classes) has been removed. These curves are rarely used and
  have additional security considerations that make them undesirable.
* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.x has been removed.
  OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC
  continue to be supported.
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 4.1.
* **BACKWARDS INCOMPATIBLE:** Loading keys with unsupported algorithms or
  keys with unsupported explicit curve encodings now raises
  :class:`~cryptography.exceptions.UnsupportedAlgorithm` instead of
  ``ValueError``. This change affects
  :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_der_public_key`,
  and :meth:`~cryptography.x509.Certificate.public_key` when called on
  certificates with unsupported public key algorithms.
* **BACKWARDS INCOMPATIBLE:** When parsing elliptic curve private keys, we now
  reject keys that incorrectly encode a private key of the wrong length because
  such keys are impossible to process in a constant-time manner. We do not
  believe keys with this problem are in wide use, however we may revert this
  change based on the feedback we receive.
* Deprecated passing 64-bit (8-byte) and 128-bit (16-byte) keys to
  :class:`~cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES`. In a
  future release, only 192-bit (24-byte) keys will be accepted. Users should
  expand shorter keys themselves (e.g., for single DES: ``key + key + key``,
  for two-key: ``key + key[:8]``).
* Updated the minimum supported Rust version (MSRV) to 1.83.0, from 1.74.0.
* Support for ``x86_64`` macOS (including publishing wheels) is deprecated
  and will be removed in the next release. We will switch to publishing an
  ``arm64`` only wheel for macOS.
* Support for 32-bit Windows (including publishing wheels) is deprecated
  and will be removed in the next release. Users should move to a 64-bit
  Python installation.
* ``public_bytes`` and ``private_bytes`` methods on keys now raise
  ``TypeError`` (instead of ``ValueError``) if an invalid encoding is provided
  for the given ``format``.
* Moved :class:`~cryptography.hazmat.decrepit.ciphers.modes.CFB`,
  :class:`~cryptography.hazmat.decrepit.ciphers.modes.OFB`, and
  :class:`~cryptography.hazmat.decrepit.ciphers.modes.CFB8` into
  :doc:`/hazmat/decrepit/index` and deprecated them in the ``modes`` module.
  They will be removed from the ``modes`` module in 49.0.0.
* Moved :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Camellia`
  into  :doc:`/hazmat/decrepit/index` and deprecated it in the ``cipher`` module.
  It will be removed from the ``cipher`` module in 49.0.0.
</tr></table> 

... (truncated)

Commits

• 59c5f5e bump for 47.0.0 release (#14730)
• 9025578 Add MLKEM1024-P384 hybrid KEM support in HPKE (#14722)
• ef66de4 Recommend Argon2id over PBKDF2HMAC as KDF (#14724)
• d996a37 Add ubuntu-resolute to CI workflow (#14729)
• e86da41 chore(deps): bump libc from 0.2.185 to 0.2.186 (#14725)
• 1c33c9a Bump downstream dependencies in CI (#14728)
• 67fb6be Bump x509-limbo and/or wycheproof in CI (#14727)
• 6cb20b3 Bump BoringSSL, OpenSSL, AWS-LC in CI (#14726)
• d6f372d Update supported OpenSSL versions in installation docs (#14721)
• ebd2619 openssl 3.3 is out of upstream support (#14720)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

🤖 Claude Code Review

PR Code Review

This is a minimal dependency bump PR updating cryptography from 46.0.7 to 47.0.0.

---

Code Quality

• ✅ Style guide: Single-line change in pyproject.toml, no style concerns.
• ✅ No commented-out code: N/A
• ✅ Meaningful variable names: N/A
• ✅ DRY principle: N/A
• ✅ Defects: No logic changes introduced. cryptography is a dev/test dependency only (in the development group), so no production code is affected.
• ✅ CLAUDE.md: No issues; the project config is appropriately general.

Testing

• ✅ Existing tests should cover any behavioral changes from the dependency bump. No new code requires new tests.
• ⚠️ Note: Confirm CI passes — cryptography 47.0.0 is a major version bump and may include breaking changes. Worth verifying the test suite runs cleanly against it.

Documentation

• ✅ README/API docs: No changes needed for a dep bump.
• ✅ CHANGELOG.md: Not present in this repo based on recent commits; no action needed.
• ✅ Markdown formatting: N/A

Security

• ✅ No hardcoded credentials: N/A
• ✅ No license files (.lic / AQAAAD): None present.
• ✅ Security posture: Bumping cryptography is a security-positive action — this library frequently releases patches for CVEs. Upgrading is recommended.

---

Summary: This is a straightforward dev-dependency version bump. The only action item is confirming CI passes, since cryptography 47.x is a major version. No blockers.

Automated code review analyzing defects and coding standards

[github-actions]

🤖 Claude Code Review

PR Code Review

Summary: This is a single-line dependency bump — cryptography from 46.0.7 → 47.0.0 in the development dependency group of pyproject.toml. This appears to be an automated Dependabot PR.

---

Code Quality

• ✅ Code style — No Python code changed; pyproject.toml edit is minimal and correct.
• ✅ No commented-out code — N/A.
• ✅ Meaningful variable names — N/A.
• ✅ DRY principle — N/A.
• ✅ Defects — No logic, no bugs. cryptography is a development-only dependency (test/build tooling), so this has no impact on production behavior. The bump is a minor version increment; cryptography 47.x maintains backward compatibility with 46.x for typical usage.

Testing

• ✅ Unit/integration tests — No new code introduced; no new tests required.
• ✅ Test coverage — N/A.

Documentation

• ❌ CHANGELOG.md not updated — The diff does not include a CHANGELOG.md entry. Even for dependency bumps, a changelog entry under an "Unreleased" or patch section is expected per common practice. If this project treats automated dependency bumps as exempt, that policy should be documented.
• ✅ README/API docs — No changes needed.

Security

• ✅ No hardcoded credentials — None present.
• ✅ No sensitive data — N/A.
• ✅ No license files — No .lic files or AQAAAD-prefixed strings detected.
• ✅ Security posture — Bumping cryptography is a net security positive; newer versions patch known CVEs (e.g., CVE-2024-12797 addressed in 44.x series, ongoing hardening in 45–47).

---

Overall

Approve with minor note. The change is correct and safe. The only action item is:

• Consider adding a CHANGELOG.md entry (e.g., under [Unreleased] → ### Changed: Bump cryptography from 46.0.7 to 47.0.0), unless the project policy explicitly exempts automated dependency bumps from changelog tracking.

---

Automated code review analyzing defects and coding standards