Bump cryptography from 46.0.5 to 46.0.6

[dependabot]

Bumps cryptography from 46.0.5 to 46.0.6.

Changelog

Sourced from cryptography's changelog.

46.0.6 - 2026-03-25

* **SECURITY ISSUE**: Fixed a bug where name constraints were not applied
  to peer names during verification when the leaf certificate contains a
  wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug,
  including those used by the Web PKI. Credit to **Oleh Konko (1seal)** for
  reporting the issue. **CVE-2026-34073**
.. _v46-0-5:

Commits

• 91d7288 Cherry-pick #14542 (#14543)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Note

Medium Risk
Updates a core TLS/X.509 dependency; while this is a patch release (including a security fix), changes in certificate verification behavior can impact auth/connection flows if your app relies on custom PKI/topologies.

Overview
Bumps the locked cryptography dependency in uv.lock from 46.0.5 to 46.0.6, updating the associated sdist/wheel hashes and artifact URLs. This pulls in the upstream patch release that fixes a certificate name-constraints verification bug (CVE-2026-34073).

^{Written by Cursor Bugbot for commit f3bc4b9. This will update automatically on new commits. Configure here.}

---

Summary by cubic

Upgrade cryptography to 46.0.6 to address a security bug in X.509 name constraints with wildcard DNS SANs (CVE-2026-34073). This tightens certificate verification and reduces risk of accepting invalid peer names.

• Dependencies
  • Bumped cryptography from 46.0.5 to 46.0.6 in uv.lock.
  • No app code changes. Stricter cert checks may reject misconfigured TLS certs; monitor affected integrations.

^{Written for commit f3bc4b9. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 1 file

[dependabot]

Superseded by #96.