Bump cryptography from 44.0.0 to 48.0.1#4229
Conversation
Bumps [cryptography](https://github.com/pyca/cryptography) from 44.0.0 to 48.0.1. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@44.0.0...48.0.1) --- updated-dependencies: - dependency-name: cryptography dependency-version: 48.0.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
AmirF194
left a comment
There was a problem hiding this comment.
Looks safe to merge on green. cryptography is a transitive dependency here (pulled via apprise/spush), and a repo-wide grep for import cryptography / from cryptography returns nothing, including tests, so none of the 44-to-48 API changes reach this codebase. The minimum Python lines up too: setup.py sets python_requires=">= 3.10" and cryptography 48 needs 3.9+. The multi-arch Docker builds (arm/v7 and alpine/musl included) are the real resolution and install test, and they are green, which also disproves the old "no ARM wheels" worry.
I went through the 44-to-48 changelog for breaking changes and none apply here: 47.0.0 removed the binary EC curves and OpenSSL 1.1.x and changed some load errors to UnsupportedAlgorithm, and 48.0.0 dropped Python 3.8 and tightened CRL signature handling. There is no X.509/CRL parsing, key loading, or SECT* curve use anywhere in the code.
One small suggestion while this is open: the comment above the pin is now stale and will mislead the next person. It still says the pin is for "sslyze compatibility (sslyze requires <45)", but sslyze is not a dependency of this project (it appears nowhere except that comment), and the "45.x may not have pre-built ARM wheels" note is moot given the green arm builds. Dependabot will not touch the comment, so updating it here would keep it honest.
Bumps cryptography from 44.0.0 to 48.0.1.
Changelog
Sourced from cryptography's changelog.
... (truncated)
Commits
de987ce48.0.1 version bump and changelog (#14996)8e03e30bump for 48.0.0 release (#14796)295e0d2Add AGENTS.md with CLAUDE.md symlink (#14794)104a2deBump BoringSSL, OpenSSL, AWS-LC in CI (#14793)67ec1e5call check_length early on AesSiv::encrypt (#14792)b2da57achangelog for mldsa/mlkem for openssl (#14791)3cf44adML-KEM OpenSSL support (#14781)2e31639ML-DSA OpenSSL support (#14773)5affe5afix rust nightly clippy (#14790)2e73ca4bump rust-openssl dep and update EcPoint::mul_generator to mul_generator2 (#1...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.