fix(deps): widen cryptography and pytz constaints#1061
fix(deps): widen cryptography and pytz constaints#1061Aaron ("AJ") Steers (aaronsteers) merged 4 commits into
cryptography and pytz constaints#1061Conversation
Drop the `<47.0.0` upper bound on cryptography so a patched `cryptography>=48.0.1` can be installed. 48.0.1 bundles the OpenSSL fix for an ASN.1 decoder out-of-bounds read in `d2i_X509()`/`d2i_PKCS7()` (SNYK-PYTHON-CRYPTOGRAPHY-17344551); the prior cap forced 46.0.7, which is flagged HIGH-vulnerable. No transitive dependency requires the upper cap: the only packages in the tree that depend on cryptography (google-auth via google-cloud-secret-manager, pdfminer.six, pyjwt) impose lower bounds only. A full resolution with the cap removed selects cryptography 49.0.0 with no conflict, and the declarative JWT auth tests pass against it. The 45.0.0/45.0.1 regression exclusions are kept. Also relax the stale `pytz == 2024.2` pin to `>=2024.2`. Signed-off-by: mcgizzle <sean@originator.inc> Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Regenerate lock file using Poetry 2.1.4 (matching main) instead of 2.4.1 to avoid unnecessary format changes in marker syntax. Co-Authored-By: AJ Steers <aj@airbyte.io>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
👋 Greetings, Airbyte Team Member!Here are some helpful tips and reminders for your convenience. 💡 Show Tips and TricksTesting This CDK VersionYou can test this version of the CDK using the following: # Run the CLI from this branch:
uvx 'git+https://github.com/airbytehq/airbyte-python-cdk.git@devin/1782491209-widen-cryptography-pytz#egg=airbyte-python-cdk[dev]' --help
# Update a connector to use the CDK from this branch ref:
cd airbyte-integrations/connectors/source-example
poe use-cdk-branch devin/1782491209-widen-cryptography-pytzPR Slash CommandsAirbyte Maintainers can execute the following slash commands on your PR:
|
Per review feedback, simplify the DEP002 comment to reference the constraint above rather than duplicating the rationale. Co-Authored-By: AJ Steers <aj@airbyte.io>
There was a problem hiding this comment.
Pull request overview
This PR updates dependency constraints in the CDK’s Poetry project to allow installing patched versions of cryptography (addressing a security advisory) and to relax an exact pin on pytz, then regenerates poetry.lock accordingly.
Changes:
- Removed the
<47.0.0upper bound oncryptographywhile keeping exclusions for45.0.0and45.0.1. - Relaxed
pytzfrom an exact pin (2024.2) to a lower-bounded constraint (>=2024.2). - Regenerated
poetry.lock, resulting incryptography==49.0.0andpytz==2026.2in the resolved set.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| pyproject.toml | Broadens cryptography constraint and relaxes pytz pin; minor update to deptry ignore comment/entry. |
| poetry.lock | Updates resolved versions/hashes/markers for cryptography, pytz, and related lock metadata. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
📝 WalkthroughWalkthrough
ChangesPyproject dependency policy
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
PyTest Results (Fast)4 123 tests ±0 4 111 ✅ - 1 7m 52s ⏱️ -44s Results for commit b56212c. ± Comparison against base commit d828c57. This pull request skips 1 test.♻️ This comment has been updated with latest results. |
cryptography is directly imported (e.g. in airbyte_cdk/sources/declarative/auth/jwt.py), so it is not an unused dependency and does not need to be in the deptry ignore list. Co-Authored-By: AJ Steers <aj@airbyte.io>
cryptography and pytz constaints
Summary
Based on community PR #1060 by Sean McGroarty (@mcgizzle) (first commit preserved for attribution).
Dependency constraint changes:
cryptography:>=44.0.0,<47.0.0,!=45.0.0,!=45.0.1→>=44.0.0,!=45.0.0,!=45.0.1>=48.0.1(fixes HIGH-severity ASN.1 OOB read: SNYK-PYTHON-CRYPTOGRAPHY-17344551)pytz:2024.2(exact pin) →>=2024.2Cleanup:
cryptographyfrom deptryDEP002ignore list — it's directly imported (airbyte_cdk/sources/declarative/auth/jwt.py), so the unused-dependency exception was not needed.Lock file: Regenerated with Poetry 2.1.4 (matching
main) instead of the community PR's 2.4.1, avoiding marker format churn.Link to Devin session: https://app.devin.ai/sessions/3b5b16c66fc4418097ed6b05d31385e7
Requested by: Aaron ("AJ") Steers (@aaronsteers)