Skip to content

Bump cryptography from 46.0.5 to 46.0.6#3261

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/uv/cryptography-46.0.6
Open

Bump cryptography from 46.0.5 to 46.0.6#3261
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/uv/cryptography-46.0.6

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 29, 2026
edited
Loading

Bumps cryptography from 46.0.5 to 46.0.6.

Changelog

Sourced from cryptography's changelog.

46.0.6 - 2026-03-25


* **SECURITY ISSUE**: Fixed a bug where name constraints were not applied
  to peer names during verification when the leaf certificate contains a
  wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug,
  including those used by the Web PKI. Credit to **Oleh Konko (1seal)** for
  reporting the issue. **CVE-2026-34073**

.. _v46-0-5:

Commits

@dependabot dependabot bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Mar 29, 2026
@deruyter92 deruyter92 self-requested a review March 30, 2026 16:21
@C-Achard
Copy link
Copy Markdown
Collaborator

C-Achard commented Mar 30, 2026

@dependabot rebase

@dependabot
Bump cryptography from 46.0.5 to 46.0.6
a1955ce 
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.5 to 46.0.6.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@46.0.5...46.0.6)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 46.0.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/uv/cryptography-46.0.6 branch from dcb46fa to a1955ce Compare March 30, 2026 18:14
JiwaniZakir
JiwaniZakir reviewed Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown

@JiwaniZakir JiwaniZakir left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a patch-level bump of cryptography in uv.lock (46.0.5 → 46.0.6), which typically indicates a security or bug-fix release. It's worth checking the cryptography changelog to confirm what CVE or fix is addressed, since cryptography patch releases are frequently security-motivated — the PR description doesn't mention the motivation. The lock file change looks mechanically correct (sdist hash and all wheel hashes are updated consistently across platforms), but pyproject.toml or any other manifest that pins cryptography directly should be verified to ensure the constraint allows 46.0.6 (i.e., isn't pinned to an exact version like ==46.0.5). If this bump was triggered by a vulnerability, that context should be captured in the PR body for audit trail purposes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@deruyter92 deruyter92 deruyter92 approved these changes

+1 more reviewer

@JiwaniZakir JiwaniZakir JiwaniZakir left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@C-Achard @deruyter92 @JiwaniZakir