Skip to content

fix: widen cryptography cap to allow >=48.0.1 and relax stale pytz pin#1060

Closed
Sean McGroarty (mcgizzle) wants to merge 1 commit into
airbytehq:mainfrom
mcgizzle:widen-cryptography-pytz-caps
Closed

fix: widen cryptography cap to allow >=48.0.1 and relax stale pytz pin#1060
Sean McGroarty (mcgizzle) wants to merge 1 commit into
airbytehq:mainfrom
mcgizzle:widen-cryptography-pytz-caps

Conversation

@mcgizzle

@mcgizzle Sean McGroarty (mcgizzle) commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

What

Remove the <47.0.0 upper bound on cryptography (the !=45.0.0,!=45.0.1 regression exclusions are kept) and relax pytz from the exact 2024.2 pin to >=2024.2.

Why

The <47.0.0 cap forces consumers onto cryptography==46.0.7, which carries a HIGH-severity advisory (SNYK-PYTHON-CRYPTOGRAPHY-17344551): an out-of-bounds read in the ASN.1 decoder reachable via d2i_X509() / d2i_PKCS7(). The remediation ships in cryptography==48.0.1 (a bundled-OpenSSL bump), which the current cap forbids.

The cap is not transitive-forced. The only packages in the tree that depend on cryptography (google-auth via google-cloud-secret-manager, pdfminer.six, pyjwt) impose lower bounds only. The earlier "Constrained as transitive dependency" note was already removed in #975; this change lifts the remaining arbitrary upper bound.

Verification

  • poetry lock followed by poetry update cryptography resolves the full dependency set to cryptography==49.0.0 with no conflict; the lock diff is a single package bump (46.0.7 to 49.0.0).
  • The declarative JWT auth tests (unit_tests/sources/declarative/auth/) pass against 49.0.0 (99 passed).

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated dependency version constraints to allow newer supported releases.
    • Broadened the allowed range for one timezone library and removed the upper limit from the cryptography library, while still avoiding known problematic releases.
    • Aligned internal dependency-check settings with the updated version rules.

Drop the `<47.0.0` upper bound on cryptography so a patched
`cryptography>=48.0.1` can be installed. 48.0.1 bundles the OpenSSL fix
for an ASN.1 decoder out-of-bounds read in `d2i_X509()`/`d2i_PKCS7()`
(SNYK-PYTHON-CRYPTOGRAPHY-17344551); the prior cap forced 46.0.7, which
is flagged HIGH-vulnerable.

No transitive dependency requires the upper cap: the only packages in
the tree that depend on cryptography (google-auth via
google-cloud-secret-manager, pdfminer.six, pyjwt) impose lower bounds
only. A full resolution with the cap removed selects cryptography 49.0.0
with no conflict, and the declarative JWT auth tests pass against it.

The 45.0.0/45.0.1 regression exclusions are kept. Also relax the stale
`pytz == 2024.2` pin to `>=2024.2`.

Signed-off-by: mcgizzle <sean@originator.inc>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions github-actions Bot added the community PRs from community contributors label Jun 25, 2026
@mcgizzle Sean McGroarty (mcgizzle) marked this pull request as ready for review June 26, 2026 08:03
@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 3d81d0c0-fd05-436a-9838-66039fd7083e

📥 Commits

Reviewing files that changed from the base of the PR and between d828c57 and 9f70e0c.

⛔ Files ignored due to path filters (1)
  • poetry.lock is excluded by !**/*.lock
📒 Files selected for processing (1)
  • pyproject.toml

📝 Walkthrough

Walkthrough

pyproject.toml updates the cryptography and pytz dependency constraints, and revises the Deptry DEP002 ignore comment for cryptography.

Changes

Dependency constraint updates

Layer / File(s) Summary
Dependency specifiers and Deptry comment
pyproject.toml
cryptography drops its upper version cap while keeping the exclusions, pytz changes to a lower-bounded range, and the Deptry DEP002 ignore comment is updated.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~4 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly reflects the main change: widening the cryptography constraint and relaxing the pytz pin.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@mcgizzle

Copy link
Copy Markdown
Contributor Author

Aaron ("AJ") Steers (@aaronsteers) the red checks here are all fork-secret limitations, not problems with the change.

The five connector jobs (source-intercom, source-pokeapi, source-shopify, source-hardcoded-records, destination-motherduck) all fail at the same line fetching test creds from GSM: "No Google Cloud credentials found", because GCP_GSM_CREDENTIALS isn't exposed to fork PRs. The "PR Welcome Message" job fails with a 403 "Resource not accessible by integration" for the same reason: the fork token is read-only.

Everything that validates the actual change passed: full pytest matrix (3.10 to 3.13), MyPy, Ruff, Deptry, and both Docker image builds. The connector jobs got past dependency resolution and CDK install before hitting the secret fetch, so the widened cryptography / relaxed pytz pins don't break installs.

Could you re-run the connector tests with secrets, or merge if the green checks are sufficient? Happy to rebase if needed.

@aaronsteers

Aaron ("AJ") Steers (aaronsteers) commented Jun 26, 2026

Copy link
Copy Markdown
Member

Sean McGroarty (@mcgizzle) - Thanks very much for contributing to Airbyte. I'm evaluating these changes and will create a new PR shortly, possibly with a few tweaks. I'll include your commits in my branch so you retain credit when we do merge.

If you have any testing data specifically from successful testing you might have done locally, please feel free to share that here or on the new PR when it opens. Much appreciated!

@aaronsteers

Copy link
Copy Markdown
Member

@aaronsteers

Copy link
Copy Markdown
Member

Above PR has been merged and released:

Sean McGroarty (@mcgizzle) - Thank you again for this contribution 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

community PRs from community contributors

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants