chore(deps): bump cryptography from 46.0.6 to 46.0.7#5818
chore(deps): bump cryptography from 46.0.6 to 46.0.7#5818dependabot[bot] wants to merge 1 commit intounstablefrom
Conversation
dependabot
bot
added
dependencies
rtibblesbot
left a comment
rtibblesbot
left a comment
There was a problem hiding this comment.
Dependency Update Review
Package: cryptography 46.0.6 → 46.0.7
Semver risk: Patch
Dependency type: Production (transitive via google-auth)
CI status: Passing
Changelog Analysis
Sources consulted:
- PR body (changelog excerpt from CHANGELOG.rst)
Security fixes:
- CVE-2026-39892: Fixed buffer overflow — non-contiguous buffers could be passed to Python buffer APIs, potentially leading to a buffer overflow. Patch release specifically for this fix.
Other notable changes:
- Updated Windows, macOS, and Linux wheels compiled with OpenSSL 3.5.6.
Breaking changes: None.
Compatibility Assessment
- No API changes; patch-level security fix only
- No peer dependency changes
- No code migration required
- No prior failed attempts noted
Recommendation
APPROVE — Security patch with no breaking changes; CI passing.
@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly
How was this generated?
Reviewed the pull request diff checking for:
- Correctness: bugs, edge cases, undocumented behavior, resource leaks, hardcoded values
- Design: unnecessary complexity, naming, readability, comment accuracy, redundant state
- Architecture: duplicated concerns, minimal interfaces, composition over inheritance
- Testing: behavior-based assertions, mocks only at hard boundaries, accurate coverage
- Completeness: missing dependencies, unupdated usages, i18n, accessibility, security
- Principles: DRY (same reason to change), SRP, Rule of Three (no premature abstraction)
- Checked CI status and linked issue acceptance criteria
- For UI changes: inspected screenshots for layout, visual completeness, and consistency
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.6 to 46.0.7. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@46.0.6...46.0.7) --- updated-dependencies: - dependency-name: cryptography dependency-version: 46.0.7 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/pip/cryptography-46.0.7
branch
from
1dbd956 to
3a42a0e
Compare
rtibblesbot
left a comment
rtibblesbot
left a comment
There was a problem hiding this comment.
Prior findings
No inline findings in the prior review (clean APPROVE on 2026-04-10) — nothing to classify.
Dependency Update Review
Package: cryptography 46.0.6 → 46.0.7
Semver risk: Patch
Dependency type: Production (transitive via google-auth)
CI status: Partially passing at time of review — linting and build pass; Python unit tests in progress.
Changelog Analysis
Sources consulted:
- PR body (changelog excerpt from CHANGELOG.rst)
Security fixes:
- CVE-2026-39892: Fixed buffer overflow — non-contiguous buffers could be passed to Python buffer APIs, potentially leading to a buffer overflow.
Other notable changes:
- Updated Windows, macOS, and Linux wheels compiled with OpenSSL 3.5.6.
Breaking changes: None.
New changes since prior review
The rebased commit (2026-04-13) includes an additional lockfile change not present when the prior review was submitted: setuptools==80.9.0 is removed from requirements.txt. In the base branch (unstable), setuptools is still listed as a transitive dependency of google-api-core, google-auth, and marisa-trie. Its removal here suggests that pip's dependency resolver, when regenerating the lockfile against the updated cryptography version, no longer pulls setuptools into the graph — likely because a marker condition changed (e.g., Python 3.12+ exemption) or a transitive dep dropped its setuptools requirement. Linting and build CI both pass, indicating no runtime import issues caused by the removal.
Compatibility Assessment
- No API changes; patch-level security fix only
setuptoolsremoved as transitive dependency — consistent with passing build/lint CI- No peer dependency changes introduced by the cryptography bump itself
- No code migration required
Recommendation
APPROVE — Security patch for CVE-2026-39892 with no breaking changes. The setuptools removal is an expected lockfile side-effect of the rebase; passing linting and build CI support this. Confirm Python unit tests complete successfully (were in progress at submission time).
@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly
How was this generated?
Compared the current PR state against findings from a prior review:
- Retrieved prior bot reviews deterministically via the GitHub API
- Classified each prior finding as RESOLVED, UNADDRESSED, ACKNOWLEDGED, or CONTESTED
- Only raised NEW findings for newly introduced code
- Reviewed the pull request diff checking for correctness, design, architecture, testing, completeness, and adherence to DRY/SRP principles
- Checked CI status and linked issue acceptance criteria
1 participant
Bumps cryptography from 46.0.6 to 46.0.7.
Changelog
Sourced from cryptography's changelog.
Commits
622d67246.0.7 release (#14602)