Skip to content

Python dependency: Update cryptography requirement from ==47.0.* to ==48.0.*#9926

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/cryptography-eq-48.0.star
Closed

Python dependency: Update cryptography requirement from ==47.0.* to ==48.0.*#9926
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/cryptography-eq-48.0.star

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 11, 2026

Updates the requirements on cryptography to permit the latest version.

Changelog

Sourced from cryptography's changelog.

48.0.0 - 2026-05-04


* **BACKWARDS INCOMPATIBLE:** Support for Python 3.8 has been removed.
  ``cryptography`` now requires Python 3.9 or later.
* **BACKWARDS INCOMPATIBLE:** Loading an X.509 CRL whose inner
  ``TBSCertList.signature`` algorithm does not match the outer
  ``signatureAlgorithm`` now raises ``ValueError``. Previously, such CRLs
  were parsed successfully and only rejected during signature validation.
* Added support for :doc:`/hazmat/primitives/asymmetric/mlkem` and
  :doc:`/hazmat/primitives/asymmetric/mldsa` when using OpenSSL 3.5.0 or
  later, in addition to the existing AWS-LC and BoringSSL support. This means
  post-quantum algorithms are now available to users of our wheels.

    

  • Note: Going forward, we do not guarantee that all functionality
    
in cryptography will be available when building against
    
OpenSSL. See :doc:/statements/state-of-openssl for more information.
    • 



.. _v47-0-0:


47.0.0 - 2026-04-24

  • Support for Python 3.8 is deprecated and will be removed in the next cryptography release.
  • BACKWARDS INCOMPATIBLE: Support for binary elliptic curves (SECT* classes) has been removed. These curves are rarely used and have additional security considerations that make them undesirable.
  • BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.1.x has been removed. OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC continue to be supported.
  • BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 4.1.
  • BACKWARDS INCOMPATIBLE: Loading keys with unsupported algorithms or keys with unsupported explicit curve encodings now raises :class:~cryptography.exceptions.UnsupportedAlgorithm instead of ValueError. This change affects :func:~cryptography.hazmat.primitives.serialization.load_pem_private_key, :func:~cryptography.hazmat.primitives.serialization.load_der_private_key, :func:~cryptography.hazmat.primitives.serialization.load_pem_public_key, :func:~cryptography.hazmat.primitives.serialization.load_der_public_key, and :meth:~cryptography.x509.Certificate.public_key when called on certificates with unsupported public key algorithms.
  • BACKWARDS INCOMPATIBLE: When parsing elliptic curve private keys, we now reject keys that incorrectly encode a private key of the wrong length because such keys are impossible to process in a constant-time manner. We do not believe keys with this problem are in wide use, however we may revert this change based on the feedback we receive.
  • Deprecated passing 64-bit (8-byte) and 128-bit (16-byte) keys to :class:~cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES. In a

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Python dependency: Update cryptography requirement
a85bf48 
Updates the requirements on [cryptography](https://github.com/pyca/cryptography) to permit the latest version.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@47.0.0...48.0.0)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 48.0.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the Dependencies Pull requests that update a dependency file label May 11, 2026
@dependabot dependabot Bot mentioned this pull request May 11, 2026
Closed
@asheshv asheshv mentioned this pull request May 20, 2026
Merged
6 tasks
asheshv added a commit that referenced this pull request May 20, 2026
@asheshv
chore: Apply non-breaking dependency updates from open dependabot PRs (
aad2dfd 
…#9954)

Python:
- requirements.txt: google-auth-oauthlib 1.3.1 -> 1.4.0
  (#9929 / #9931), gated so Python 3.9 stays on 1.3.1 (1.4.0
  requires python_version >= 3.10). Mirrors the existing
  boto3 1.42.*/1.43.* split.
- tools/requirements.txt: requests >=2.33.1 -> >=2.34.2 on
  python_version > '3.9' (#9943 / #9944).
- web/regression/requirements.txt: selenium 4.43.0 -> 4.44.0
  (#9946). The selenium pin already requires Python >=3.10 in
  master, so the bump introduces no new 3.9 gap.

JavaScript (web/package.json, web/yarn.lock):
- postcss 8.5.12 -> 8.5.14 (#9874 / #9889)
- @tanstack/react-query 5.100.5 -> 5.100.9 (#9878)
- ip-address 10.1.0 -> 10.1.1 (#9918)
- packageManager pin yarn@4.14.0 -> yarn@4.15.0 and regenerate
  yarn.lock at lockfile __metadata.version 10. CI runs yarn
  4.15.0 with hardened mode on public PRs and refuses to migrate
  the lockfile from version 9 (yarn 4.14.x) to 10; master passes
  today only because hardened mode is PR-only.

Electron runtime (runtime/package.json, runtime/yarn.lock):
- axios 1.16.0 -> 1.16.1 (#9948)
- eslint 10.3.0 -> 10.4.0 (#9947)

Skipped (genuine breaking changes, deferred to follow-up PRs):
- @mui/material 7 -> 9 (#9843)
- @mui/x-date-pickers 8 -> 9 (#9888)
- cryptography 47.0.* -> 48.0.* (#9926 / #9932)
- paramiko 3.5.1 -> 5.0.0 (#9927 / #9930)
- electron 41.5.0 -> 42.1.0 (#9945)

Verified in an isolated worktree:

  - jest:        140/0/0 suites, 824/0/0 tests
  - eslint:      clean (web + runtime, both silent)
  - pycodestyle: 0 violations project-wide

Each version was cross-checked against the corresponding
dependabot PR diff via `gh pr diff`. Each Python bump was
cross-checked against PyPI's requires_python so Python 3.9
support stays intact.
@asheshv asheshv mentioned this pull request May 20, 2026
Merged
3 tasks
@asheshv
Copy link
Copy Markdown
Contributor

asheshv commented May 20, 2026

Superseded by #9960, which bumps cryptography to 48.0.* in requirements.txt. Analysis in the PR description: the 48.0.0 breaking changes (3.8 removal, stricter X.509 CRL parsing) don't affect pgAdmin — Python 3.9 is already our floor, and we have no cryptography.x509 / CRL usage anywhere. The OpenSSL 1.1.x drop you might be thinking of happened in 47 (already on master). Thanks dependabot!

@asheshv asheshv closed this May 20, 2026
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 20, 2026

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@asheshv asheshv mentioned this pull request May 20, 2026
Closed
@dependabot dependabot Bot deleted the dependabot/pip/cryptography-eq-48.0.star branch May 20, 2026 10:55
asheshv added a commit that referenced this pull request May 20, 2026
@asheshv
chore(deps): bump cryptography 47.0.* -> 48.0.* (#9960)
25f0d85 
Supersedes dependabot #9926 (and its /web/regression duplicate
#9932). Inherited via `-r ../../requirements.txt`, so the single
edit covers both.

cryptography 48 is a smaller bump than its major-version label
suggests:

  - Removed Python 3.8 support. pgAdmin requires Python 3.9+ across
    the supported platforms, so this is a no-op for us. (3.9.0 and
    3.9.1 specifically are excluded by the new metadata; nothing
    in pgAdmin's CI / packaging runs those exact patch versions.)
  - Stricter X.509 CRL parsing: a CRL whose inner
    `TBSCertList.signature` does not match the outer
    `signatureAlgorithm` now raises `ValueError` instead of
    being parsed and rejected later during signature verification.
  - Added ML-KEM and ML-DSA post-quantum primitives (additive).

pgAdmin's cryptography surface area is narrow and CRL-free:

  - web/pgadmin/settings/__init__.py        Fernet
  - web/pgadmin/utils/session.py            Fernet, hashes, HKDF
  - web/pgadmin/utils/crypto.py             Cipher, AES, CFB8

No imports of `cryptography.x509`, `CertificateRevocationList`,
or `load_pem_x509_crl` anywhere in the tree, so the stricter CRL
parsing in 48 cannot affect pgAdmin.

The OpenSSL 1.1.x / LibreSSL < 4.1 removal that I initially
flagged as a concern actually happened in cryptography 47, which
master is already on. No platform-support regression from this
bump.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@asheshv