Skip to content

fix(deps): widen cryptography and pytz constaints#1061

Merged
Aaron ("AJ") Steers (aaronsteers) merged 4 commits into
mainfrom
devin/1782491209-widen-cryptography-pytz
Jun 26, 2026
Merged

fix(deps): widen cryptography and pytz constaints#1061
Aaron ("AJ") Steers (aaronsteers) merged 4 commits into
mainfrom
devin/1782491209-widen-cryptography-pytz

Conversation

@aaronsteers

@aaronsteers Aaron ("AJ") Steers (aaronsteers) commented Jun 26, 2026

Copy link
Copy Markdown
Member

Summary

Based on community PR #1060 by Sean McGroarty (@mcgizzle) (first commit preserved for attribution).

Dependency constraint changes:

  • cryptography: >=44.0.0,<47.0.0,!=45.0.0,!=45.0.1>=44.0.0,!=45.0.0,!=45.0.1
    • Removes upper cap that blocked >=48.0.1 (fixes HIGH-severity ASN.1 OOB read: SNYK-PYTHON-CRYPTOGRAPHY-17344551)
    • Lock resolves to 49.0.0
  • pytz: 2024.2 (exact pin) → >=2024.2
    • pytz releases only ship IANA tz data updates — no API changes
    • Lock resolves to 2026.2

Cleanup:

  • Removed cryptography from deptry DEP002 ignore list — it's directly imported (airbyte_cdk/sources/declarative/auth/jwt.py), so the unused-dependency exception was not needed.

Lock file: Regenerated with Poetry 2.1.4 (matching main) instead of the community PR's 2.4.1, avoiding marker format churn.

Link to Devin session: https://app.devin.ai/sessions/3b5b16c66fc4418097ed6b05d31385e7
Requested by: Aaron ("AJ") Steers (@aaronsteers)

Drop the `<47.0.0` upper bound on cryptography so a patched
`cryptography>=48.0.1` can be installed. 48.0.1 bundles the OpenSSL fix
for an ASN.1 decoder out-of-bounds read in `d2i_X509()`/`d2i_PKCS7()`
(SNYK-PYTHON-CRYPTOGRAPHY-17344551); the prior cap forced 46.0.7, which
is flagged HIGH-vulnerable.

No transitive dependency requires the upper cap: the only packages in
the tree that depend on cryptography (google-auth via
google-cloud-secret-manager, pdfminer.six, pyjwt) impose lower bounds
only. A full resolution with the cap removed selects cryptography 49.0.0
with no conflict, and the declarative JWT auth tests pass against it.

The 45.0.0/45.0.1 regression exclusions are kept. Also relax the stale
`pytz == 2024.2` pin to `>=2024.2`.

Signed-off-by: mcgizzle <sean@originator.inc>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Regenerate lock file using Poetry 2.1.4 (matching main) instead of
2.4.1 to avoid unnecessary format changes in marker syntax.

Co-Authored-By: AJ Steers <aj@airbyte.io>
@devin-ai-integration

Copy link
Copy Markdown
Contributor

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

@github-actions

Copy link
Copy Markdown

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

💡 Show Tips and Tricks

Testing This CDK Version

You can test this version of the CDK using the following:

# Run the CLI from this branch:
uvx 'git+https://github.com/airbytehq/airbyte-python-cdk.git@devin/1782491209-widen-cryptography-pytz#egg=airbyte-python-cdk[dev]' --help

# Update a connector to use the CDK from this branch ref:
cd airbyte-integrations/connectors/source-example
poe use-cdk-branch devin/1782491209-widen-cryptography-pytz

PR Slash Commands

Airbyte Maintainers can execute the following slash commands on your PR:

  • /autofix - Fixes most formatting and linting issues
  • /poetry-lock - Updates poetry.lock file
  • /test - Runs connector tests with the updated CDK
  • /prerelease - Triggers a prerelease publish with default arguments
  • /poe build - Regenerate git-committed build artifacts, such as the pydantic models which are generated from the manifest JSON schema in YAML.
  • /poe <command> - Runs any poe command in the CDK environment
📚 Show Repo Guidance

Helpful Resources

📝 Edit this welcome message.

Comment thread pyproject.toml Outdated
@aaronsteers Aaron ("AJ") Steers (aaronsteers) marked this pull request as ready for review June 26, 2026 16:34
Copilot AI review requested due to automatic review settings June 26, 2026 16:34
Per review feedback, simplify the DEP002 comment to reference the
constraint above rather than duplicating the rationale.

Co-Authored-By: AJ Steers <aj@airbyte.io>

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

Open in Devin Review

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates dependency constraints in the CDK’s Poetry project to allow installing patched versions of cryptography (addressing a security advisory) and to relax an exact pin on pytz, then regenerates poetry.lock accordingly.

Changes:

  • Removed the <47.0.0 upper bound on cryptography while keeping exclusions for 45.0.0 and 45.0.1.
  • Relaxed pytz from an exact pin (2024.2) to a lower-bounded constraint (>=2024.2).
  • Regenerated poetry.lock, resulting in cryptography==49.0.0 and pytz==2026.2 in the resolved set.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
pyproject.toml Broadens cryptography constraint and relaxes pytz pin; minor update to deptry ignore comment/entry.
poetry.lock Updates resolved versions/hashes/markers for cryptography, pytz, and related lock metadata.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pyproject.toml
@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

pyproject.toml now allows newer cryptography and pytz releases, and the deptry DEP002 ignore entry for cryptography was removed.

Changes

Pyproject dependency policy

Layer / File(s) Summary
Dependency constraints and deptry ignore
pyproject.toml
cryptography now uses a lower-bound constraint with exclusions, pytz now uses a lower-bound constraint, and cryptography is removed from the DEP002 ignore list.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main dependency constraint updates for cryptography and pytz.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch devin/1782491209-widen-cryptography-pytz

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jun 26, 2026

Copy link
Copy Markdown

PyTest Results (Fast)

4 123 tests  ±0   4 111 ✅  - 1   7m 52s ⏱️ -44s
    1 suites ±0      12 💤 +1 
    1 files   ±0       0 ❌ ±0 

Results for commit b56212c. ± Comparison against base commit d828c57.

This pull request skips 1 test.
unit_tests.sources.declarative.test_concurrent_declarative_source ‑ test_read_with_concurrent_and_synchronous_streams

♻️ This comment has been updated with latest results.

@github-actions

github-actions Bot commented Jun 26, 2026

Copy link
Copy Markdown

PyTest Results (Full)

4 126 tests  ±0   4 114 ✅ ±0   12m 20s ⏱️ +21s
    1 suites ±0      12 💤 ±0 
    1 files   ±0       0 ❌ ±0 

Results for commit b56212c. ± Comparison against base commit d828c57.

♻️ This comment has been updated with latest results.

cryptography is directly imported (e.g. in airbyte_cdk/sources/declarative/auth/jwt.py),
so it is not an unused dependency and does not need to be in the deptry ignore list.

Co-Authored-By: AJ Steers <aj@airbyte.io>
@aaronsteers Aaron ("AJ") Steers (aaronsteers) changed the title fix(deps): widen cryptography cap and relax pytz pin fix(deps): widen cryptography and pytz constaints Jun 26, 2026
@aaronsteers Aaron ("AJ") Steers (aaronsteers) merged commit cdd7014 into main Jun 26, 2026
31 checks passed
@aaronsteers Aaron ("AJ") Steers (aaronsteers) deleted the devin/1782491209-widen-cryptography-pytz branch June 26, 2026 19:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants