build(deps): Bump cryptography from 47.0.0 to 48.0.1

[dependabot]

Bumps cryptography from 47.0.0 to 48.0.1.

Changelog

Sourced from cryptography's changelog.

48.0.1 - 2026-06-09

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 4.0.1.
.. _v48-0-0:
48.0.0 - 2026-05-04

• BACKWARDS INCOMPATIBLE: Support for Python 3.8 has been removed. cryptography now requires Python 3.9 or later.

• BACKWARDS INCOMPATIBLE: Loading an X.509 CRL whose inner TBSCertList.signature algorithm does not match the outer signatureAlgorithm now raises ValueError. Previously, such CRLs were parsed successfully and only rejected during signature validation.

• Added support for :doc:/hazmat/primitives/asymmetric/mlkem and :doc:/hazmat/primitives/asymmetric/mldsa when using OpenSSL 3.5.0 or later, in addition to the existing AWS-LC and BoringSSL support. This means post-quantum algorithms are now available to users of our wheels.

  • Note: Going forward, we do not guarantee that all functionality in cryptography will be available when building against OpenSSL. See :doc:/statements/state-of-openssl for more information.

.. _v47-0-0:

Commits

• de987ce 48.0.1 version bump and changelog (#14996)
• 8e03e30 bump for 48.0.0 release (#14796)
• 295e0d2 Add AGENTS.md with CLAUDE.md symlink (#14794)
• 104a2de Bump BoringSSL, OpenSSL, AWS-LC in CI (#14793)
• 67ec1e5 call check_length early on AesSiv::encrypt (#14792)
• b2da57a changelog for mldsa/mlkem for openssl (#14791)
• 3cf44ad ML-KEM OpenSSL support (#14781)
• 2e31639 ML-DSA OpenSSL support (#14773)
• 5affe5a fix rust nightly clippy (#14790)
• 2e73ca4 bump rust-openssl dep and update EcPoint::mul_generator to mul_generator2 (#1...
• Additional commits viewable in compare view

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit e7b6711. Configure here.}

[cursor]

Objectstore client downgraded

High Severity

This lockfile change pins objectstore-client at 0.0.14 instead of the prior 0.1.8, and drops its pyjwt extra that pulled in cryptography. Integration tests use the 0.1.x client API (Client, Usecase, session, get) against the same objectstore version as the Rust 0.1.8 crate, so CI can fail or behave differently than production.

 

^{Reviewed by Cursor Bugbot for commit e7b6711. Configure here.}

[cursor]

Cryptography bump missing

Medium Severity

The lockfile no longer contains any cryptography package entry after this change, so the intended upgrade to 48.0.1 never lands. Previously cryptography 47.0.0 was locked via pyjwt[crypto] and types-pyopenssl; those packages are removed too, leaving dev environments without the updated wheel this PR is meant to deliver.

Additional Locations (1)

• uv.lock#L459-L461

 

^{Reviewed by Cursor Bugbot for commit e7b6711. Configure here.}

[Dav1dde]

@dependabot rebase

[Dav1dde]

Dependabot sucks

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.