Bump cryptography from 42.0.8 to 46.0.7

[dependabot]

Bumps cryptography from 42.0.8 to 46.0.7.

Changelog

Sourced from cryptography's changelog.

46.0.7 - 2026-04-07

* **SECURITY ISSUE**: Fixed an issue where non-contiguous buffers could be
  passed to APIs that accept Python buffers, which could lead to buffer
  overflow. **CVE-2026-39892**
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.6.
.. _v46-0-6:
46.0.6 - 2026-03-25

• SECURITY ISSUE: Fixed a bug where name constraints were not applied to peer names during verification when the leaf certificate contains a wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug, including those used by the Web PKI. Credit to Oleh Konko (1seal) for reporting the issue. CVE-2026-34073

.. _v46-0-5:

46.0.5 - 2026-02-10

* An attacker could create a malicious public key that reveals portions of your
  private key when using certain uncommon elliptic curves (binary curves).
  This version now includes additional security checks to prevent this attack.
  This issue only affects binary elliptic curves, which are rarely used in
  real-world applications. Credit to **XlabAI Team of Tencent Xuanwu Lab and
  Atuin Automated Vulnerability Discovery Engine** for reporting the issue.
  **CVE-2026-26007**
* Support for ``SECT*`` binary elliptic curves is deprecated and will be
  removed in the next release.
.. v46-0-4:
46.0.4 - 2026-01-27

• Dropped support for win_arm64 wheels_.
• Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.

.. _v46-0-3:

46.0.3 - 2025-10-15

* Fixed compilation when using LibreSSL 4.2.0.
.. _v46-0-2:

</tr></table>

... (truncated)

Commits

• 622d672 46.0.7 release (#14602)
• 91d7288 Cherry-pick #14542 (#14543)
• 06e120e bump version for 46.0.5 release (#14289)
• 0eebb9d EC check key on cofactor > 1 (#14287)
• bedf6e1 fix openssl version on 46 branch (#14220)
• e6f44fc bump for 46.0.4 and drop win arm64 due to CI issues (#14217)
• c0af4dd release 46.0.3 (#13681)
• 99efe5a bump version for 46.0.2 (#13531)
• e735cfc release 46.0.1 (#13450)
• 4e457ff Explicitly specify python in mac uv build invocation (#13447)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[rtibblesbot]

Dependency Update Review

Package: cryptography 42.0.8 → 46.0.7
Semver risk: Multi-major (4 major versions)
Dependency type: Production — Chaquopy runtime dependency bundled in the Android app
CI status: ❌ Failing — Build and Test run #27294509637

Changelog Analysis

Sources consulted:

• PR body (truncated — covers 46.0.2–46.0.7 only; versions 43.x–45.x not included)

Security fixes (urgency to merge):

• CVE-2026-39892 (46.0.7): Buffer overflow via non-contiguous Python buffers — patched
• CVE-2026-34073 (46.0.6): Name constraints bypass for wildcard DNS SANs during X.509 verification — patched (ordinary Web PKI topologies unaffected)
• CVE-2026-26007 (46.0.5): Private key disclosure via malicious public key on binary elliptic curves — patched; only affects binary curves (rarely used)

Breaking changes / deprecations:

• SECT* binary elliptic curves deprecated in 46.0.5, removal in next release — unlikely to affect this project
• win_arm64 wheels dropped in 46.0.4 — not relevant to Android
• Versions 43.x–45.x are not shown in the truncated PR body; 3 complete major versions are unreviewed

Other changes:

• OpenSSL updated to 3.5.6 (46.0.7) and 3.5.5 (46.0.4)
• LibreSSL 4.2.0 compilation fix in 46.0.3

Compatibility Assessment

• Chaquopy wheel availability: Unverified — requirements.txt notes these packages must be pinned to versions with prebuilt Chaquopy wheels; CI failed before reaching the Chaquopy/Gradle Python install step, so 46.0.7 wheel support cannot be confirmed from this run (see inline comment)
• Breaking changes in visible changelog: None that affect Android/Python usage
• Unreviewed versions 43.x–45.x: Full changelog for these 3 major version cycles is not shown; breaking API changes remain possible but unconfirmed
• Code changes required: None — requirements.txt change only

CI Failure

Both "Build Debug APK" and "Unit tests" jobs fail at configuration time:

Type 'StreamlineKolibriTask' property 'tarFile' doesn't have a configured value.

This happens in app/build.gradle when file('../tar').listFiles()?.find { … } returns null — the Kolibri tar was not present in tar/ when Gradle's configuration phase ran. The download_tar job passed and uploaded the artifact, but the actions/download-artifact@v7 step in the test jobs appears not to have placed the file there in time. The same workflow succeeds on develop HEAD and on the concurrent robolectric-4.16.1 dependabot PR, so this looks like a transient artifact availability issue. A rerun is worth trying, but CI must pass before merging.

Recommendation

REQUEST_CHANGES — CI must pass and Chaquopy wheel availability must be confirmed before merging. The three security CVEs give this update real urgency; it should land promptly once the CI issue is resolved.

---

@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly

How was this generated?

Reviewed the pull request diff checking for:

• Correctness: bugs, edge cases, undocumented behavior, resource leaks, hardcoded values
• Design: unnecessary complexity, naming, readability, comment accuracy, redundant state
• Architecture: duplicated concerns, minimal interfaces, composition over inheritance
• Testing: behavior-based assertions, mocks only at hard boundaries, accurate coverage
• Completeness: missing dependencies, unupdated usages, i18n, accessibility, security
• Principles: DRY (same reason to change), SRP, Rule of Three (no premature abstraction)
• Checked CI status and linked issue acceptance criteria
• For UI changes: inspected screenshots for layout, visual completeness, and consistency

[rtibblesbot]

suggestion: Before merging, confirm Chaquopy has a prebuilt wheel for cryptography==46.0.7. The comment on line 3 ("Pinned to versions with prebuilt Chaquopy wheels") makes this a hard build requirement — if no wheel exists for this version, the Android app's Python environment will fail to install it at build time. CI failed before reaching the Chaquopy/Gradle Python install step in this run, so wheel availability is unconfirmed. Check the Chaquopy package index or verify the Android build completes without pip errors in Gradle output.

[dependabot]

Superseded by #280.