Skip to content

fix: Widen cryptography dependency to >=44.0.0,<47.0.0#975

Merged
Aaron ("AJ") Steers (aaronsteers) merged 5 commits into
mainfrom
devin/1775067657-widen-cryptography-constraint
Jun 7, 2026
Merged

fix: Widen cryptography dependency to >=44.0.0,<47.0.0#975
Aaron ("AJ") Steers (aaronsteers) merged 5 commits into
mainfrom
devin/1775067657-widen-cryptography-constraint

Conversation

@devin-ai-integration
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration Bot commented Apr 1, 2026
edited
Loading

Summary

Widens the cryptography package constraint from >=44.0.0,<45.0.0 to >=44.0.0,<47.0.0,!=45.0.0,!=45.0.1 to allow resolution of version 46.x, which includes the fix for CVE-2026-26007.

The <45.0.0 pin was added in #377 because cryptography 45.0.0 introduced regressions in load_pem_private_key() (pyca/cryptography#12958). Those regressions were fixed in 45.0.2+, so we now exclude only the broken releases (45.0.0, 45.0.1) and add <47.0.0 as a safety upper bound.

Lock file changes (regenerated with Poetry 2.0.1, lock-version 2.1):

Package Old New
cryptography 44.0.2 46.0.7
cffi 1.17.1 2.0.0

Resolves https://github.com/airbytehq/oncall/issues/11849

Related: #956

Notes

  • Prior art: chore(deps): update nltk to 3.9.4 #968 widened to <47.0.0 and all 3,945 CDK tests passed. The cryptography change was reverted in that PR for unrelated reasons.
  • This is not a breaking change — it only widens the allowed version range of a transitive dependency.

Link to Devin session: https://app.devin.ai/sessions/10db7a594acf4f3da627e97e6e77a843
Requested by: Aaron ("AJ") Steers (@aaronsteers)

@devin-ai-integration
Copy link
Copy Markdown
Contributor Author

devin-ai-integration Bot commented Apr 1, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 1, 2026

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

💡 Show Tips and Tricks

Testing This CDK Version

You can test this version of the CDK using the following:

# Run the CLI from this branch:
uvx 'git+https://github.com/airbytehq/airbyte-python-cdk.git@devin/1775067657-widen-cryptography-constraint#egg=airbyte-python-cdk[dev]' --help

# Update a connector to use the CDK from this branch ref:
cd airbyte-integrations/connectors/source-example
poe use-cdk-branch devin/1775067657-widen-cryptography-constraint

PR Slash Commands

Airbyte Maintainers can execute the following slash commands on your PR:

  • /autofix - Fixes most formatting and linting issues
  • /poetry-lock - Updates poetry.lock file
  • /test - Runs connector tests with the updated CDK
  • /prerelease - Triggers a prerelease publish with default arguments
  • /poe build - Regenerate git-committed build artifacts, such as the pydantic models which are generated from the manifest JSON schema in YAML.
  • /poe <command> - Runs any poe command in the CDK environment
📚 Show Repo Guidance

Helpful Resources

📝 Edit this welcome message.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 1, 2026
edited
Loading

PyTest Results (Fast)

4 094 tests  ±0   4 082 ✅  - 1   7m 27s ⏱️ -59s
    1 suites ±0      12 💤 +1 
    1 files   ±0       0 ❌ ±0 

Results for commit b94d124. ± Comparison against base commit a7b0929.

This pull request skips 1 test. 
unit_tests.sources.declarative.test_concurrent_declarative_source ‑ test_read_with_concurrent_and_synchronous_streams

♻️ This comment has been updated with latest results.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 1, 2026
edited
Loading

PyTest Results (Full)

4 097 tests  ±0   4 085 ✅ ±0   11m 36s ⏱️ -1s
    1 suites ±0      12 💤 ±0 
    1 files   ±0       0 ❌ ±0 

Results for commit b94d124. ± Comparison against base commit a7b0929.

♻️ This comment has been updated with latest results.

aaronsteers
Aaron ("AJ") Steers (aaronsteers) reviewed Jun 6, 2026
View reviewed changes
Comment thread pyproject.toml Outdated
@aaronsteers Aaron ("AJ") Steers (aaronsteers) marked this pull request as ready for review June 6, 2026 03:25
Copilot AI review requested due to automatic review settings June 6, 2026 03:25
devin-ai-integration Bot and others added 4 commits June 6, 2026 03:25
@devin-ai-integration
fix: Widen cryptography dependency to >=44.0.0,<47.0.0 for CVE-2026-2…
119c350 
…6007

The cryptography package was pinned to <45.0.0 due to upstream key loading
regressions in 45.0.0 (pyca/cryptography#12958, #13126, #13196). Those
regressions were fixed in 45.0.2+, and the pin now blocks the fix for
CVE-2026-26007 (fixed in 46.0.5).

Widen the constraint to <47.0.0 so the resolver picks up 46.0.6 (latest)
which includes the CVE fix.

Co-Authored-By: bot_apk <apk@cognition.ai>
@devin-ai-integration
fix: Regenerate poetry.lock with minimal dependency changes
83cc8fd 
Use 'poetry update cryptography' instead of 'poetry lock' to avoid
updating unrelated transitive dependencies that caused MyPy failures.

Co-Authored-By: bot_apk <apk@cognition.ai>
@devin-ai-integration @aaronsteers
chore: replace cryptography<47 cap with !=45.0.0,!=45.0.1 exclusions
0f5c3c0 
Co-Authored-By: AJ Steers <aj@airbyte.io>
@devin-ai-integration @aaronsteers
chore: add <47.0.0 upper bound back to cryptography constraint
dd34b2c 
Co-Authored-By: AJ Steers <aj@airbyte.io>
@devin-ai-integration devin-ai-integration Bot force-pushed the devin/1775067657-widen-cryptography-constraint branch from 873668f to dd34b2c Compare June 6, 2026 03:26
Copilot AI reviewed Jun 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to address CVE-2026-26007 by widening the allowed cryptography dependency range and updating the Poetry lockfile to resolve a patched cryptography version.

Changes:

  • Updated pyproject.toml cryptography constraint (removed <45.0.0 pin and excluded 45.0.0–45.0.1).
  • Regenerated poetry.lock to update cryptography (and transitive dependencies).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
pyproject.toml Adjusts declared cryptography version constraints.
poetry.lock Updates resolved dependency versions based on the new constraints.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pyproject.toml Outdated
Draft
@aaronsteers
Copy link
Copy Markdown
Member

Aaron ("AJ") Steers (aaronsteers) commented Jun 6, 2026
edited by github-actions Bot
Loading

/prerelease

Prerelease Job Info

This job triggers the publish workflow with default arguments to create a prerelease.

Prerelease job started... Check job output.

✅ Prerelease workflow triggered successfully.

View the publish workflow run: https://github.com/airbytehq/airbyte-python-cdk/actions/runs/27052511259

@devin-ai-integration devin-ai-integration Bot mentioned this pull request Jun 6, 2026
Merged
@aaronsteers Aaron ("AJ") Steers (aaronsteers) changed the title fix: Widen cryptography dependency to >=44.0.0,<47.0.0 for CVE-2026-26007 fix: Widen cryptography dependency to >=44.0.0,<47.0.0 Jun 7, 2026
@devin-ai-integration @aaronsteers
fix: regenerate poetry.lock with Poetry 2.0.1 (lock-version 2.1)
b94d124 
Previous lock was generated with Poetry 1.8.5 (lock-version 2.0), which
stripped groups/markers metadata and caused CI failures (MyPy, pytest).
Regenerated from main's lock using 'poetry update cryptography' with
Poetry 2.0.1 to match CI.

Only 2 packages changed:
- cryptography: 44.0.2 -> 46.0.7
- cffi: 1.17.1 -> 2.0.0 (transitive dep of cryptography)

Co-Authored-By: AJ Steers <aj@airbyte.io>
@aaronsteers Aaron ("AJ") Steers (aaronsteers) changed the title fix: Widen cryptography dependency to >=44.0.0,<47.0.0 fix: Widen cryptography dependency to >=44.0.0,<47.0.0 Jun 7, 2026
@aaronsteers Aaron ("AJ") Steers (aaronsteers) merged commit 7da322d into main Jun 7, 2026
30 checks passed
@aaronsteers Aaron ("AJ") Steers (aaronsteers) deleted the devin/1775067657-widen-cryptography-constraint branch June 7, 2026 04:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aaronsteers Aaron ("AJ") Steers (aaronsteers) aaronsteers left review comments

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aaronsteers