fix: Widen cryptography dependency to >=44.0.0,<47.0.0 for CVE-2026-26007

[devin-ai-integration]

Summary

Widens the cryptography package constraint from >=44.0.0,<45.0.0 to >=44.0.0,<47.0.0 to allow resolution of version 46.0.5+, which includes the fix for CVE-2026-26007.

The <45.0.0 pin was added in #377 (March 2025) because cryptography 45.0.0 introduced regressions in load_pem_private_key() (pyca/cryptography#12958, pyca/cryptography#13126, pyca/cryptography#13196). Those upstream regressions were fixed in 45.0.2+, so the pin is no longer necessary.

The lock file now resolves cryptography to 46.0.6.

Resolves https://github.com/airbytehq/oncall/issues/11849:

• https://github.com/airbytehq/oncall/issues/11849

Related: #956

Updates since last revision

Regenerated poetry.lock using poetry update cryptography (instead of a full poetry lock) to minimize transitive dependency changes. Only three packages changed in the lock file:

Package	Old	New	Reason
cryptography	44.0.2	46.0.6	Target of this PR
cffi	1.17.1	2.0.0	Transitive dep of cryptography
numpy	2.3.4	2.2.6	Minor re-resolve (downgrade)

Note on lock file diff size: The diff appears large because the lock file was regenerated with Poetry 1.8.5 (lock-version 2.0), which strips groups and markers metadata lines that Poetry 2.0.1 (lock-version 2.1) adds. The actual dependency version changes are limited to the three packages above.

Review & Testing Checklist for Human

• Lock file Poetry version mismatch (high risk): The lock file was regenerated with Poetry 1.8.5 (lock-version 2.0), whereas the previous lock used Poetry 2.0.1 (lock-version 2.1). This strips groups and markers fields throughout the lock file. If the repo standardizes on Poetry 2.x, the lock should be regenerated with Poetry 2.x instead — this would produce a much smaller diff.
• cffi 2.0.0 major version bump: cffi was bumped from 1.17.1 to 2.0.0 as a transitive dependency of cryptography. Verify no regressions from this major version change.
• JWT key loading: The CDK uses cryptography.hazmat.primitives.serialization.load_pem_private_key() in airbyte_cdk/sources/declarative/auth/jwt.py:189. This was the function affected by the 45.0.0 regressions. Verify the existing JWT authenticator tests pass with cryptography 46.x.

Recommended test plan: Let CI run the full test suite. A prior attempt (#968) ran 3,945 CDK tests with cryptography <47.0.0 and saw zero failures.

Notes

• Prior art: chore(deps): update nltk to 3.9.4 #968 widened to <47.0.0 and all tests passed. The cryptography change was reverted in that PR for unrelated reasons (precautionary), not due to test failures.
• This is not a breaking change — it only widens the allowed version range of a transitive dependency.

Link to Devin session: https://app.devin.ai/sessions/4415d37e078741ed8d1ab92d3fc99743

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[github-actions]

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

💡 Show Tips and Tricks

Testing This CDK Version

You can test this version of the CDK using the following:

# Run the CLI from this branch:
uvx 'git+https://github.com/airbytehq/airbyte-python-cdk.git@devin/1775067657-widen-cryptography-constraint#egg=airbyte-python-cdk[dev]' --help

# Update a connector to use the CDK from this branch ref:
cd airbyte-integrations/connectors/source-example
poe use-cdk-branch devin/1775067657-widen-cryptography-constraint

PR Slash Commands

Airbyte Maintainers can execute the following slash commands on your PR:

• /autofix - Fixes most formatting and linting issues
• /poetry-lock - Updates poetry.lock file
• /test - Runs connector tests with the updated CDK
• /prerelease - Triggers a prerelease publish with default arguments
• /poe build - Regenerate git-committed build artifacts, such as the pydantic models which are generated from the manifest JSON schema in YAML.
• /poe <command> - Runs any poe command in the CDK environment

📚 Show Repo Guidance

Helpful Resources

• CDK API Reference

📝 Edit this welcome message.

[github-actions]

PyTest Results (Fast)

3 975 tests  ±0   3 963 ✅  - 1   6m 54s ⏱️ -38s
    1 suites ±0      12 💤 +1 
    1 files   ±0       0 ❌ ±0 

Results for commit 1ce5fe4. ± Comparison against base commit 69cd63d.

This pull request skips 1 test.

unit_tests.sources.declarative.test_concurrent_declarative_source ‑ test_read_with_concurrent_and_synchronous_streams

♻️ This comment has been updated with latest results.

[github-actions]

PyTest Results (Full)

3 978 tests  ±0   3 966 ✅ ±0   11m 27s ⏱️ +7s
    1 suites ±0      12 💤 ±0 
    1 files   ±0       0 ❌ ±0 

Results for commit 1ce5fe4. ± Comparison against base commit 69cd63d.