Bump cryptography from 46.0.7 to 47.0.0

[dependabot]

Bumps cryptography from 46.0.7 to 47.0.0.

Changelog

Sourced from cryptography's changelog.

47.0.0 - 2026-04-24

* Support for Python 3.8 is deprecated and will be removed in the next
  ``cryptography`` release.
* **BACKWARDS INCOMPATIBLE:** Support for binary elliptic curves
  (``SECT*`` classes) has been removed. These curves are rarely used and
  have additional security considerations that make them undesirable.
* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.x has been removed.
  OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC
  continue to be supported.
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 4.1.
* **BACKWARDS INCOMPATIBLE:** Loading keys with unsupported algorithms or
  keys with unsupported explicit curve encodings now raises
  :class:`~cryptography.exceptions.UnsupportedAlgorithm` instead of
  ``ValueError``. This change affects
  :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_der_public_key`,
  and :meth:`~cryptography.x509.Certificate.public_key` when called on
  certificates with unsupported public key algorithms.
* **BACKWARDS INCOMPATIBLE:** When parsing elliptic curve private keys, we now
  reject keys that incorrectly encode a private key of the wrong length because
  such keys are impossible to process in a constant-time manner. We do not
  believe keys with this problem are in wide use, however we may revert this
  change based on the feedback we receive.
* Deprecated passing 64-bit (8-byte) and 128-bit (16-byte) keys to
  :class:`~cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES`. In a
  future release, only 192-bit (24-byte) keys will be accepted. Users should
  expand shorter keys themselves (e.g., for single DES: ``key + key + key``,
  for two-key: ``key + key[:8]``).
* Updated the minimum supported Rust version (MSRV) to 1.83.0, from 1.74.0.
* Support for ``x86_64`` macOS (including publishing wheels) is deprecated
  and will be removed in the next release. We will switch to publishing an
  ``arm64`` only wheel for macOS.
* Support for 32-bit Windows (including publishing wheels) is deprecated
  and will be removed in the next release. Users should move to a 64-bit
  Python installation.
* ``public_bytes`` and ``private_bytes`` methods on keys now raise
  ``TypeError`` (instead of ``ValueError``) if an invalid encoding is provided
  for the given ``format``.
* Moved :class:`~cryptography.hazmat.decrepit.ciphers.modes.CFB`,
  :class:`~cryptography.hazmat.decrepit.ciphers.modes.OFB`, and
  :class:`~cryptography.hazmat.decrepit.ciphers.modes.CFB8` into
  :doc:`/hazmat/decrepit/index` and deprecated them in the ``modes`` module.
  They will be removed from the ``modes`` module in 49.0.0.
* Moved :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Camellia`
  into  :doc:`/hazmat/decrepit/index` and deprecated it in the ``cipher`` module.
  It will be removed from the ``cipher`` module in 49.0.0.
</tr></table> 

... (truncated)

Commits

• 59c5f5e bump for 47.0.0 release (#14730)
• 9025578 Add MLKEM1024-P384 hybrid KEM support in HPKE (#14722)
• ef66de4 Recommend Argon2id over PBKDF2HMAC as KDF (#14724)
• d996a37 Add ubuntu-resolute to CI workflow (#14729)
• e86da41 chore(deps): bump libc from 0.2.185 to 0.2.186 (#14725)
• 1c33c9a Bump downstream dependencies in CI (#14728)
• 67fb6be Bump x509-limbo and/or wycheproof in CI (#14727)
• 6cb20b3 Bump BoringSSL, OpenSSL, AWS-LC in CI (#14726)
• d6f372d Update supported OpenSSL versions in installation docs (#14721)
• ebd2619 openssl 3.3 is out of upstream support (#14720)
• Additional commits viewable in compare view

[github-actions]

🤖 Claude Code Review

PR Code Review

Summary: This PR bumps the cryptography dependency from 46.0.4 to 47.0.0 in pyproject.toml.

---

Code Quality

• ✅ Style guide: Single-line change in pyproject.toml, no style concerns.
• ✅ No commented-out code
• ✅ Meaningful variable names: N/A
• ✅ DRY principle: N/A
• ✅ Defects: No logic changes; this is a version string update only. No bugs, race conditions, or security vulnerabilities introduced.
• ✅ CLAUDE.md: No changes affect project configuration.

Testing

• ✅ Unit/integration tests: No functional code changed; existing tests cover this dependency.
• ⚠️ Test coverage: Cannot verify from the diff alone whether cryptography==47.0.0 introduces any breaking API changes that could cause test failures. Recommend confirming CI passes cleanly with the new version.

Documentation

• ✅ README: No update needed for a dev dependency bump.
• ✅ API docs: N/A
• ✅ Inline comments: N/A
• ⚠️ CHANGELOG.md: Not updated. Dependency bumps are often noted in changelogs — confirm whether this project tracks dependency updates there.
• ✅ Markdown formatting: N/A

Security

• ✅ No hardcoded credentials
• ✅ Input validation: N/A
• ✅ Error handling: N/A
• ✅ No sensitive data in logs
• ✅ No license files (.lic): Not present.
• ✅ Security posture improved: cryptography 47.0.0 is a newer release; upgrading is generally a positive security action. No known regressions from 46.x to 47.x as of this review.

---

Verdict: This is a straightforward, low-risk dependency upgrade. The two minor items to confirm before merge:

1. CI passes with cryptography==47.0.0 (no breaking API changes affecting this codebase).
2. Consider adding a CHANGELOG entry if the project tracks dependency updates there.

---

Automated code review analyzing defects and coding standards

[github-actions]

🤖 Claude Code Review

PR Code Review

Summary: Dependency bump for cryptography from 46.0.4 to 47.0.0 in pyproject.toml.

---

Code Quality

• ✅ Style guide: Single-line change follows existing formatting conventions.
• ✅ No commented-out code: N/A
• ✅ Meaningful variable names: N/A
• ✅ DRY principle: N/A
• ✅ Defects: No logic errors; straightforward version bump. cryptography is a development dependency only (under [development]), so runtime behavior is unaffected. No race conditions, memory leaks, or security concerns introduced.
• ✅ CLAUDE.md: No issues; project config is appropriately general.

Testing

• ✅ Unit/integration tests: No new code requiring tests.
• ✅ Coverage: N/A for a dependency bump.

Documentation

• ✅ README: No update needed.
• ✅ API docs: N/A
• ✅ Inline comments: N/A
• ✅ CHANGELOG.md: Not required for a transitive/dev dependency bump of this scope.
• ✅ Markdown formatting: No markdown files changed.

Security

• ✅ No hardcoded credentials: N/A
• ✅ Input validation: N/A
• ✅ Error handling: N/A
• ✅ No sensitive data in logs: N/A
• ✅ No license files (.lic) checked in: N/A

---

Verdict: APPROVE

This is a clean dependency bump of cryptography to 47.0.0. It is scoped to development dependencies only and carries no functional risk. The cryptography 47.x release includes security fixes and is safe to adopt. No issues found.

Automated code review analyzing defects and coding standards

[github-actions]

🤖 Claude Code Review

PR Code Review

Summary: This PR bumps the cryptography dependency from 46.0.7 to 47.0.0 in pyproject.toml.

---

Code Quality

• ✅ Style guide: Single-line change follows existing formatting conventions.
• ✅ No commented-out code: N/A.
• ✅ Meaningful variable names: N/A.
• ✅ DRY principle: N/A.
• ✅ Defects: No logic errors introduced. This is a development dependency used for testing, not in production code paths.
• ✅ CLAUDE.md: No issues with project config.

Testing

• ✅ Unit/integration tests: No new code introduced; existing tests should cover continued correctness.
• ⚠️ Test coverage: Cannot verify from the diff alone whether CI ran against the new version. Recommend confirming tests pass with cryptography==47.0.0 before merging.

Documentation

• ✅ README: No update needed for a dev dependency bump.
• ✅ API docs: N/A.
• ✅ Inline comments: N/A.
• ⚠️ CHANGELOG.md: Not updated. Depending on project conventions, a dependency bump — even a dev one — may warrant a changelog entry (e.g., under a "Dependencies" or "Chores" section).
• ✅ Markdown formatting: N/A.

Security

• ✅ No hardcoded credentials: N/A.
• ✅ Input validation: N/A.
• ✅ Error handling: N/A.
• ✅ No sensitive data in logs: N/A.
• ✅ No license files (.lic) checked in: N/A.
• ✅ Security note: cryptography 47.0.0 is a minor version bump. It is advisable to review the cryptography changelog for any breaking changes or deprecations, though none are expected to affect a dev-only dependency used for testing purposes.

---

Overall: Clean, minimal change. The two minor items to follow up on are confirming CI passes with the new version and considering a CHANGELOG entry per project conventions.

Automated code review analyzing defects and coding standards

[github-actions]

🤖 Claude Code Review

PR Code Review

Summary: Dependency bump of cryptography from 46.0.7 to 47.0.0 in pyproject.toml.

---

Code Quality

• ✅ Style guide: Single-line change, no style concerns.
• ✅ No commented-out code
• ✅ Meaningful variable names: N/A
• ✅ DRY principle: N/A
• ✅ Defects: No logic changes; this is a version bump only. cryptography 47.0.0 is a major version increment — worth confirming no breaking API changes affect usage in this repo, but as a dev dependency used for testing infrastructure, risk is low.
• ✅ CLAUDE.md: No environment-specific content concerns.

Testing

• ✅ Unit/integration tests: No new code introduced; existing test suite covers this.
• ⚠️ Coverage: No test changes accompany the bump. Acceptable for a dependency update, but CI should be verified green with the new version.

Documentation

• ✅ README: No update needed.
• ✅ API docs: N/A
• ✅ Inline comments: N/A
• ⚠️ CHANGELOG.md: Not updated. Minor point — some projects track dependency bumps in the changelog; skip if not your convention.
• ✅ Markdown formatting: N/A

Security

• ✅ No hardcoded credentials
• ✅ No sensitive data
• ✅ No license files (.lic / AQAAAD)
• ✅ Security posture: This is a positive security change. cryptography 47.0.0 includes security fixes; keeping it current is the right call.

---

Overall

Approve. This is a straightforward, low-risk security dependency update. The only action worth taking before merging is confirming CI passes with the new version, as cryptography 47.x is a major bump that could introduce minor breaking changes in edge-case API usage.

Automated code review analyzing defects and coding standards

[github-actions]

🤖 Claude Code Review

Code Review

Code Quality

• ✅ Style guide: Single dependency version bump, no style concerns.
• ✅ No commented-out code
• ✅ Meaningful variable names: N/A
• ✅ DRY principle: N/A
• ✅ Defects: No logic errors. This is a straightforward dependency update from cryptography==46.0.7 to cryptography==47.0.0 in pyproject.toml:38.

Testing

• ✅ Tests: No new functions introduced; existing test suite covers the dependency.

Documentation

• ❌ CHANGELOG.md: No changelog entry for the dependency bump. If this project tracks dependency updates in the changelog, one should be added.

Security

• ✅ No hardcoded credentials
• ✅ No sensitive data
• ✅ No license files
• ✅ Dependency upgrade is a security positive: cryptography 47.0.0 is a newer release and likely includes security fixes over 46.0.7. Upgrading is the correct action.

---

Summary: This is a clean, minimal dependency bump. The only minor concern is whether a CHANGELOG entry is expected for dependency updates in this project. Everything else looks good.

Automated code review analyzing defects and coding standards