Skip to content

Bump cryptography from 48.0.1 to 49.0.0#206

Merged
docktermj merged 3 commits into
mainfrom
dependabot/pip/cryptography-49.0.0
Jul 6, 2026
Merged

Bump cryptography from 48.0.1 to 49.0.0#206
docktermj merged 3 commits into
mainfrom
dependabot/pip/cryptography-49.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps cryptography from 48.0.1 to 49.0.0.

Changelog

Sourced from cryptography's changelog.

49.0.0 - 2026-06-12


* **BACKWARDS INCOMPATIBLE:** Support for ``x86_64`` macOS has been removed.
  We now only publish ``arm64`` wheels for macOS.
* **BACKWARDS INCOMPATIBLE:** Support for 32-bit Windows has been removed.
  Users should move to a 64-bit Python installation.
* **BACKWARDS INCOMPATIBLE:** Removed the deprecated
  ``PUBLIC_KEY_TYPES``, ``PRIVATE_KEY_TYPES``,
  ``CERTIFICATE_PRIVATE_KEY_TYPES``, ``CERTIFICATE_ISSUER_PUBLIC_KEY_TYPES``,
  and ``CERTIFICATE_PUBLIC_KEY_TYPES`` type aliases. Use
  ``PublicKeyTypes``, ``PrivateKeyTypes``, ``CertificateIssuerPrivateKeyTypes``,
  ``CertificateIssuerPublicKeyTypes``, and ``CertificatePublicKeyTypes``
  instead. These were deprecated in version 40.0.
* **BACKWARDS INCOMPATIBLE:** :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20`
  now treats the first 4 bytes of the ``nonce`` as a 32-bit little-endian block
  counter (as defined in :rfc:`7539`) and tracks the number of bytes processed.
  Attempting to encrypt or decrypt more data than the counter allows before it
  would overflow now raises a :class:`ValueError` rather than silently diverging
  from RFC 7539. Setting the counter portion of the ``nonce`` to zero allows
  encrypting up to 256 GiB with a given nonce.
* **BACKWARDS INCOMPATIBLE:** Loading an X.509 certificate whose ECDSA or DSA
  signature ``AlgorithmIdentifier`` contains encoded NULL parameters now raises
  a :class:`ValueError`. Such certificates are invalid, but older versions of
  Java emitted them; previously they loaded with a deprecation warning.
* Fixed cross-compilation of the CFFI bindings when ``PYO3_CROSS_LIB_DIR``
  is set. The build now derives the Python include directory from
  ``PYO3_CROSS_LIB_DIR`` instead of querying the host interpreter, which
  previously caused the build to fail during cross-compilations for embedded
  systems, on hosts which have same-version Python development headers
  installed as the target Python.
* Added support for signing and verifying X.509 certificates, certificate
  signing requests, and certificate revocation lists with
  :doc:`/hazmat/primitives/asymmetric/mldsa` keys, as well as loading
  certificates that contain ML-DSA public keys.
* Added :meth:`~cryptography.hazmat.primitives.hpke.KEM.enc_length` to
  :class:`~cryptography.hazmat.primitives.hpke.KEM` so callers can split the
  encapsulated key from the ciphertext returned by
  :meth:`~cryptography.hazmat.primitives.hpke.Suite.encrypt`.
* :meth:`~cryptography.x509.verification.ExtensionPolicy.require_present`,
  :meth:`~cryptography.x509.verification.ExtensionPolicy.may_be_present`, and
  :meth:`~cryptography.x509.verification.ExtensionPolicy.require_not_present`
  now accept any extension type. Previously only a fixed set of extension
  types was supported, which made it impossible to account for otherwise
  unrecognized critical extensions during path validation.
* Added support for using :class:`~cryptography.x509.Certificate`,
  :class:`~cryptography.x509.CertificateSigningRequest`, and
  :class:`~cryptography.x509.CertificateRevocationList` as field types in
  :doc:`/hazmat/asn1/index` structures.
* Added :func:`~cryptography.hazmat.asn1.value_set`, a class decorator that
</tr></table> 

... (truncated)

Commits
  • e300bbe bump version and changelog for 49.0.0 (#15030)
  • fa74cd8 Add external mu (message representative) support for ML-DSA (#14979)
  • f594db3 chore(deps): bump openssl from 0.10.80 to 0.10.81 (#15029)
  • 608e011 chore(deps): bump openssl-sys from 0.9.116 to 0.9.117 (#15028)
  • a322bc4 chore(deps): bump cc from 1.2.63 to 1.2.64 (#15027)
  • 33181a7 Reject critical nameConstraints extensions containing directoryName constrain...
  • 6080dc7 Bump dependencies that dependabot isn't (#15026)
  • 121faa3 chore(deps): bump virtualenv from 21.4.2 to 21.4.3 (#15023)
  • 829520b Add more robust processing for DH parameters. (#15016)
  • 0f05001 Bump downstream dependencies in CI (#15025)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jul 6, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 6, 2026 16:24
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jul 6, 2026
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

🤖 Claude Code Review

Code Review

This is a single-line dependency version bump (cryptography 48.0.1 → 49.0.0) in pyproject.toml, consistent with the repo's established pattern of automated dependency bumps (see git log: virtualenv, cryptography bumps merged previously without CHANGELOG entries or added tests).

Code Quality

  • Style conventions: pyproject.toml:39 — version pin format (==X.Y.Z) matches the rest of the development dependency list.
  • No commented-out code
  • Meaningful variable names — N/A, dependency spec only.
  • DRY — N/A, single-line change.
  • ⚠️ Defects: No functional code changed, so no logic errors possible directly. However, cryptography 48.x → 49.0.0 is a major version bump, which per the project's own changelog can include removal of deprecated APIs and OpenSSL/Rust toolchain requirement changes. Since cryptography is listed under development extras (not a runtime dependency per this diff), risk is limited to dev/test tooling, but worth confirming CI passes with the new version rather than assuming a patch-level bump is safe.
  • N/A CLAUDE.md considerations — not touched by this diff; no changes needed.

Testing

  • N/A — no application code changed; existing lint/mypy/test suite in CI should be sufficient to catch incompatibilities from the bump.
  • ⚠️ Recommend confirming the CI run for this PR (lint/pylint/mypy/pytest) actually passed, since major-version bumps of cryptography occasionally affect transitive tooling.

Documentation

  • ✅ Readme — N/A, not applicable to a dependency bump.
  • ✅ CHANGELOG.md — not updated, consistent with prior dependency-bump commits in this repo's history (e.g. e959d19, 5153e40) which also didn't touch CHANGELOG.md. No inconsistency introduced.
  • N/A Markdown formatting — no markdown files changed in this diff.

Security

  • No hardcoded credentials
  • No .lic files or AQAAAD-prefixed strings present in this diff.
  • ✅ Bumping cryptography forward is generally a security positive (newer version likely includes CVE fixes over 48.0.1) rather than a risk.

Summary

No issues found. This is a low-risk, routine dependency bump consistent with the repository's established Dependabot pattern. Approve, contingent on CI (lint/mypy/pytest) passing for the new cryptography version.

Automated code review analyzing defects and coding standards

Bumps [cryptography](https://github.com/pyca/cryptography) from 48.0.1 to 49.0.0.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@48.0.1...49.0.0)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 49.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/pip/cryptography-49.0.0 branch from b9326d5 to 76a0f78 Compare July 6, 2026 16:31
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

🤖 Claude Code Review

PR Code Review: Bump cryptography from 48.0.1 to 49.0.0

Change summary: Single-line version pin bump in pyproject.toml (line 39: cryptography==48.0.1cryptography==49.0.0) for the development dependency group. This is an automated dependency-bump PR (Dependabot-style), consistent with the repo's established pattern (see 76a0f78, e959d19, 5153e40, etc. in git history).

Code Quality

  • Style conventions: Follows the existing pinned-version format used throughout pyproject.toml.
  • No commented-out code: N/A, single-line diff.
  • Meaningful variable names: N/A.
  • DRY principle: N/A.
  • Defects: No logic changes, no code paths affected — pure build-dependency metadata. cryptography is a transitive dev/lint/test tooling dependency here, not imported directly by src/awesome.py, so no application code is affected by the major version bump.
  • CLAUDE.md consideration: .claude/CLAUDE.md is unaffected by this PR and remains general (no local-environment-specific content introduced).

Testing

  • ⚠️ Test coverage / CI verification: This is a major version bump (48.x → 49.x) of cryptography. While cryptography isn't directly imported in src/awesome.py (confirmed — the app only uses PyGithub/argparse), it's worth confirming CI passes fully, since major version bumps can introduce breaking changes for whatever depends on it transitively (e.g., via twine or other packages in the development/lint groups). No new unit/integration tests are needed for a pure dependency-pin change — flagging as informational only, not a blocker.

Documentation

  • README: Not applicable, no user-facing change.
  • CHANGELOG.md: Not updated, but this matches established project convention — prior dependency bump commits (e959d19, 5153e40, c6a1532, etc.) did not update CHANGELOG.md either. No inconsistency introduced.
  • Markdown/CommonMark formatting: No markdown files touched in this diff.

Security

  • No hardcoded credentials.
  • No .lic files or AQAAAD-prefixed strings present in this diff.
  • Input validation / error handling / logging: N/A, no code logic changed.
  • ℹ️ Bumping cryptography to a newer major version is generally a positive security action (pulls in latest upstream security fixes), consistent with the repo's dependency-hygiene practices.

Verdict

Approve. This is a low-risk, mechanical dependency version bump consistent with the repository's established pattern for such PRs. No blocking issues found.

Automated code review analyzing defects and coding standards

@docktermj docktermj self-assigned this Jul 6, 2026
@docktermj docktermj enabled auto-merge (squash) July 6, 2026 16:35
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

🤖 Claude Code Review

Confirmed: this is a routine dependabot version bump, consistent with the repo's established pattern (CHANGELOG.md hasn't tracked dependency bumps since project inception — last entry is from 2021, well before any of the dependabot commits). Here's the review.

Code Quality

  • ✅ Single-line version bump in pyproject.toml:39 (cryptography==48.0.149.0.0), pinned exact version — consistent with style used for all other pinned deps in this file (psutil==7.2.2, pytest-cov==7.1.0, etc.)
  • ✅ No commented-out code
  • ✅ N/A — no variable naming involved
  • ✅ N/A — no logic duplicated
  • ✅ No defects identified. This is a dependency-only diff with no application logic touched, no new attack surface introduced by the diff itself. (Note: I did not perform a live check of the cryptography 49.0.0 release notes for behavioral/CVE changes since network access is disabled for this run — worth a manual glance at the changelog for that package before merging, though this is standard for automated dependency bumps.)
  • .claude/CLAUDE.md reviewed — it's already environment-agnostic (references python -m venv, generic commands, no machine-specific paths or credentials) and is unaffected by this diff.

Testing

  • ❌ N/A — no unit/integration tests apply to a pinned-version bump in pyproject.toml. Not a defect; flagging only because the checklist item is unaffected rather than satisfied. CI (lint/type/test suite) running against the new pin is the appropriate verification here, not new tests.

Documentation

  • ✅ README: not applicable, no user-facing behavior changed
  • ✅ API docs: not applicable
  • ✅ Inline comments: not applicable — trivial diff
  • ⚠️ CHANGELOG.md not updated. However, per repo history, dependency-bump PRs (see ecbba7f, 76a0f78, c6a1532, and dozens of prior dependabot commits) consistently do not touch CHANGELOG.md — the file's last content update was in 2021. Not a deviation from established project convention, so not blocking.
  • ✅ No Markdown files changed in this diff — CommonMark/prettier formatting check N/A

Security

  • ✅ No hardcoded credentials
  • ✅ N/A — no input handling changed
  • ✅ N/A — no error handling changed
  • ✅ No sensitive data/logging touched
  • ✅ No .lic files or AQAAAD-prefixed license strings present in this diff

Summary

This is a routine, low-risk dependency version bump with no issues found. Safe to merge pending normal CI (lint/type/test) passing against the updated cryptography pin.

Automated code review analyzing defects and coding standards

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

🤖 Claude Code Review

Code Review

This is a Dependabot-style dependency bump: cryptography pinned version updated from 48.0.149.0.0 in pyproject.toml (line 39).

Code Quality

  • ✅ Style/formatting: single-line version pin change, consistent with surrounding entries (build==1.5.0, psutil==7.2.2, etc.) in pyproject.toml:36-42.
  • ✅ No commented-out code.
  • ✅ N/A — no variable names introduced.
  • ✅ DRY — trivial pin bump, no duplication introduced.
  • ⚠️ Defects: No functional code changes to review for bugs/logic errors. The one thing worth flagging is that cryptography 49.0.0 is a major version bump (48→49), which can carry breaking API changes or new minimum Rust/OpenSSL toolchain requirements for building wheels. Confirm CI actually installs and runs successfully with this pin (no evidence in the diff itself that this was validated) rather than accepting it purely on version-number faith.
  • ✅ CLAUDE.md consideration: no changes to .claude/CLAUDE.md in this diff; existing project config is already environment-agnostic (no local-path or machine-specific config found).

Testing

  • ✅ N/A — dependency version bump only, no new functions/endpoints requiring new tests.
  • ⚠️ Edge cases / coverage: not applicable to a pin bump, but recommend confirming the full test suite (pytest) passes against cryptography==49.0.0 before merge, since this is a transitive-trust dependency (used indirectly, likely via PyGithub/requests chain) rather than something this repo's own code exercises directly.

Documentation

  • ✅ Readme: not applicable, no user-facing change.
  • ✅ API docs: not applicable.
  • ✅ Inline comments: not applicable, no complex logic added.
  • ✅ CHANGELOG.md: consistent with repo convention — prior dependency bumps (e.g. 73ea3b6 Bump sphinx-rtd-theme from 3.0.2 to 3.1.0) also did not update CHANGELOG.md, so omission here is not a deviation.
  • ✅ Markdown/CommonMark: no markdown files touched in this diff.

Security

  • ✅ No hardcoded credentials.
  • ✅ No input validation concerns — pin bump only.
  • ✅ No error handling changes.
  • ✅ No sensitive data in logs.
  • ✅ No .lic files or AQAAAD-prefixed license strings present in this diff.
  • ℹ️ Note: bumping cryptography forward is itself a good security hygiene practice (staying current on a security-critical library), assuming CI validates compatibility.

Summary

No blocking issues. This is a low-risk, mechanical dependency bump consistent with the repo's existing patterns. Recommend merging once CI (lint + test suite) passes green against the new pin.

Automated code review analyzing defects and coding standards

@docktermj docktermj merged commit 6a23545 into main Jul 6, 2026
34 checks passed
@docktermj docktermj deleted the dependabot/pip/cryptography-49.0.0 branch July 6, 2026 16:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants