build(deps): bump cryptography from 46.0.5 to 48.0.1 in /tests#6
build(deps): bump cryptography from 46.0.5 to 48.0.1 in /tests#6dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.5 to 48.0.1. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@46.0.5...48.0.1) --- updated-dependencies: - dependency-name: cryptography dependency-version: 48.0.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
LGTM, routine Dependabot bump of a transitive dependency.
Extended reasoning...
Overview
This PR bumps cryptography from 46.0.5 to 48.0.1 in the root requirements.txt. The package is pulled in as a supporting dependency for the community.crypto Ansible collection, not used directly in any kubespray code (grep for from cryptography / import cryptography returns no matches).
Security risks
None specific to this diff. The cryptography package is a well-maintained, security-critical library and this update pulls in wheels compiled against OpenSSL 4.0.1, which is generally desirable from a security posture standpoint.
Level of scrutiny
Low. This is a dependency version bump touching a single line in a requirements file. The 47.0.0 and 48.0.0 releases include backwards-incompatible changes (Python 3.8 removal, SECT elliptic curves removal, OpenSSL 1.1.x removal, stricter CRL parsing, changed exception types on unsupported keys), but none of these are relevant to how kubespray uses the package indirectly through Ansible modules on modern Python/OpenSSL stacks.
Other factors
Dependabot compatibility score is available in the PR description. No bugs were flagged by the bug-hunting system. Even though this is a two-major-version jump, the effective surface area for kubespray is small enough that CI test coverage should be sufficient.
Bumps cryptography from 46.0.5 to 48.0.1.
Changelog
Sourced from cryptography's changelog.
... (truncated)
Commits
de987ce48.0.1 version bump and changelog (#14996)8e03e30bump for 48.0.0 release (#14796)295e0d2Add AGENTS.md with CLAUDE.md symlink (#14794)104a2deBump BoringSSL, OpenSSL, AWS-LC in CI (#14793)67ec1e5call check_length early on AesSiv::encrypt (#14792)b2da57achangelog for mldsa/mlkem for openssl (#14791)3cf44adML-KEM OpenSSL support (#14781)2e31639ML-DSA OpenSSL support (#14773)5affe5afix rust nightly clippy (#14790)2e73ca4bump rust-openssl dep and update EcPoint::mul_generator to mul_generator2 (#1...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.