From df8249386ca4804e18b6ed46a16603425a0cc673 Mon Sep 17 00:00:00 2001 From: Ashesh Vashi Date: Wed, 20 May 2026 16:22:11 +0530 Subject: [PATCH] chore(deps): bump cryptography 47.0.* -> 48.0.* Supersedes dependabot #9926 (and its /web/regression duplicate #9932). Inherited via `-r ../../requirements.txt`, so the single edit covers both. cryptography 48 is a smaller bump than its major-version label suggests: - Removed Python 3.8 support. pgAdmin requires Python 3.9+ across the supported platforms, so this is a no-op for us. (3.9.0 and 3.9.1 specifically are excluded by the new metadata; nothing in pgAdmin's CI / packaging runs those exact patch versions.) - Stricter X.509 CRL parsing: a CRL whose inner `TBSCertList.signature` does not match the outer `signatureAlgorithm` now raises `ValueError` instead of being parsed and rejected later during signature verification. - Added ML-KEM and ML-DSA post-quantum primitives (additive). pgAdmin's cryptography surface area is narrow and CRL-free: - web/pgadmin/settings/__init__.py Fernet - web/pgadmin/utils/session.py Fernet, hashes, HKDF - web/pgadmin/utils/crypto.py Cipher, AES, CFB8 No imports of `cryptography.x509`, `CertificateRevocationList`, or `load_pem_x509_crl` anywhere in the tree, so the stricter CRL parsing in 48 cannot affect pgAdmin. The OpenSSL 1.1.x / LibreSSL < 4.1 removal that I initially flagged as a concern actually happened in cryptography 47, which master is already on. No platform-support regression from this bump. --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 70d62e1bfaa..edb6492e99e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -22,7 +22,7 @@ bcrypt==5.0.* boto3==1.42.*; python_version <= '3.9' boto3==1.43.*; python_version > '3.9' certifi==2026.4.22 -cryptography==47.0.* +cryptography==48.0.* Flask-Babel==4.0.* Flask-Compress==1.* Flask-Login==0.*