[Snyk] Security upgrade cryptography from 45.0.7 to 46.0.5#8
Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-15263096
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
This PR is being reviewed by Cursor Bugbot
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| mutagen==1.31 | ||
| click==6.2 | ||
| paramiko==2.0.9 | ||
| cryptography>=46.0.5 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
Cryptography 46 incompatible with project's Python 3.7 requirement
High Severity
The newly pinned cryptography>=46.0.5 requires Python 3.8+, but this project targets Python 3.7 (as declared in Pipfile). Installing this dependency on the project's target Python version will fail, breaking the build entirely.
| mutagen==1.31 | ||
| click==6.2 | ||
| paramiko==2.0.9 | ||
| cryptography>=46.0.5 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
Paramiko 2.0.9 incompatible with cryptography 46.x series
High Severity
paramiko==2.0.9 was never tested or updated for cryptography>=46.0.5. Paramiko only added compatibility with cryptography ≥43 in version 3.4.1. Using this old paramiko with such a new cryptography is very likely to cause runtime import errors or broken cryptographic operations.
Additional Locations (1)
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
requirements.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.
Note
Low Risk
Low risk dependency-only change that adds a security pin for
cryptography; main risk is compatibility/runtime issues if this project expects an oldercryptographyversion.Overview
Adds an explicit
cryptography>=46.0.5entry inrequirements.txt(not previously listed) to remediate a security vulnerability flagged by Snyk and ensure the transitive dependency is constrained to a safe version.Written by Cursor Bugbot for commit 511bee5. This will update automatically on new commits. Configure here.