From 13f8ca6325438488f642607c8f187d6285b9c05e Mon Sep 17 00:00:00 2001 From: Roee Zisholz Date: Wed, 1 Jul 2026 12:36:52 +0300 Subject: [PATCH 1/3] Bump cryptography to ~=48.0 to fix CVE-2026-34180 cryptography ~=46.0.5 caps the transitive dependency below 47, blocking downstream consumers from resolving cryptography>=48.0.1 (CVE-2026-34180, SNYK-PYTHON-CRYPTOGRAPHY-17344551, OOB read). cryptography is not imported directly by conjur_api; widening the constraint has no API impact. Co-Authored-By: Claude Opus 4.8 --- requirements.txt | 2 +- setup.cfg | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements.txt b/requirements.txt index 4ddd600..ffc0b8f 100644 --- a/requirements.txt +++ b/requirements.txt @@ -2,7 +2,7 @@ pytest>=9.0.2 pytest-cov>=7.1.0 pylint>=4.0.5 -cryptography~=46.0.5 +cryptography~=48.0 keyring>=25.7.0 pyopenssl>=26.0.0 PyInstaller>=6.19.0 diff --git a/setup.cfg b/setup.cfg index 790eade..ce9af24 100644 --- a/setup.cfg +++ b/setup.cfg @@ -33,7 +33,7 @@ zip_safe = True include_package_data = False install_requires = - cryptography~=46.0.5 + cryptography~=48.0 keyring>=25.7.0 aiohttp>=3.13.3 asynctest >= 0.13.0; python_version<"3.8" From b027ecd4c1954f4d6c01287e25b21b9bd05346dc Mon Sep 17 00:00:00 2001 From: Roee Zisholz Date: Wed, 1 Jul 2026 12:44:46 +0300 Subject: [PATCH 2/3] Add CHANGELOG entry for cryptography bump Co-Authored-By: Claude Opus 4.8 --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 11623ca..7f1b1f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [Unreleased] +### Security +- Bump `cryptography` constraint to `~=48.0` to allow `cryptography>=48.0.1` + (CVE-2026-34180 / SNYK-PYTHON-CRYPTOGRAPHY-17344551), unblocking downstream + consumers capped by the previous `~=46.0.5` pin. + ## [0.1.10] - 2026-03-24 ### Security From 33fa1918469272b60c80de941e26028d67fe329c Mon Sep 17 00:00:00 2001 From: Roee Zisholz Date: Wed, 1 Jul 2026 14:40:56 +0300 Subject: [PATCH 3/3] Use floor constraint cryptography>=48.0.1 (no upper cap) cryptography is transitive and not imported directly; an upper bound only risks re-blocking consumers (e.g. cryptography 49.x is already released). Co-Authored-By: Claude Opus 4.8 --- CHANGELOG.md | 7 ++++--- requirements.txt | 2 +- setup.cfg | 2 +- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7f1b1f4..5afb97e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,9 +7,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [Unreleased] ### Security -- Bump `cryptography` constraint to `~=48.0` to allow `cryptography>=48.0.1` - (CVE-2026-34180 / SNYK-PYTHON-CRYPTOGRAPHY-17344551), unblocking downstream - consumers capped by the previous `~=46.0.5` pin. +- Relax `cryptography` constraint to `>=48.0.1` (CVE-2026-34180 / + SNYK-PYTHON-CRYPTOGRAPHY-17344551), unblocking downstream consumers capped + by the previous `~=46.0.5` pin. No upper bound — `cryptography` is a + transitive dependency and is not imported directly. ## [0.1.10] - 2026-03-24 diff --git a/requirements.txt b/requirements.txt index ffc0b8f..13960b2 100644 --- a/requirements.txt +++ b/requirements.txt @@ -2,7 +2,7 @@ pytest>=9.0.2 pytest-cov>=7.1.0 pylint>=4.0.5 -cryptography~=48.0 +cryptography>=48.0.1 keyring>=25.7.0 pyopenssl>=26.0.0 PyInstaller>=6.19.0 diff --git a/setup.cfg b/setup.cfg index ce9af24..781158a 100644 --- a/setup.cfg +++ b/setup.cfg @@ -33,7 +33,7 @@ zip_safe = True include_package_data = False install_requires = - cryptography~=48.0 + cryptography>=48.0.1 keyring>=25.7.0 aiohttp>=3.13.3 asynctest >= 0.13.0; python_version<"3.8"