Skip to content

chore: bump cryptography to ~=49.0#680

Merged
gjtorikian merged 1 commit into
mainfrom
widen-cryptography-range
Jul 1, 2026
Merged

chore: bump cryptography to ~=49.0#680
gjtorikian merged 1 commit into
mainfrom
widen-cryptography-range

Conversation

@gjtorikian

@gjtorikian gjtorikian commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Move the cryptography requirement from ~=48.0 to ~=49.0 (i.e. >=49.0,<50.0).
  • Re-lock uv.lock: cryptography 48.0.149.0.0.
  • The SDK only uses long-stable cryptography APIs (Fernet, and Cipher/algorithms/modes + default_backend in session.py / vault/_resource.py), which are unchanged in the 49.x line.

Test plan

  • uv sync --locked --dev resolves cleanly against the new range
  • uv run pytest passes

@gjtorikian gjtorikian requested review from a team as code owners June 30, 2026 19:57
@gjtorikian gjtorikian requested a review from csrbarber June 30, 2026 19:57
@gjtorikian gjtorikian force-pushed the widen-cryptography-range branch from d0b81ab to 169f65b Compare June 30, 2026 22:22
@gjtorikian gjtorikian changed the title chore: widen cryptography range and let Renovate advance upper bound chore: widen cryptography lower bound to >=48 Jun 30, 2026
@greptile-apps

greptile-apps Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR updates the cryptography dependency and lockfile. The main changes are:

  • Moves the runtime dependency from the 48.x series to the 49.x series.
  • Regenerates uv.lock with cryptography 49.0.0.
  • Updates lockfile package metadata to match the new dependency specifier.

Confidence Score: 4/5

Not safe to merge until the dependency specifier matches the intended compatibility range.

The changed package metadata has a clear resolver-visible compatibility regression for consumers constrained to the 48.x cryptography line.

pyproject.toml

T-Rex T-Rex Logs

What T-Rex did

  • T-Rex reproduced a dependency-resolution failure when pinning cryptography to 48.x while workos 8.3.0 requires cryptography~=49.0, and attempted uv-based resolution and wheel metadata checks but those tools were unavailable.
  • T-Rex ran the uv-workflow before and after transcripts to verify cryptography can be upgraded from 48.0.1 to 49.0.0 without breaking the test suite; the before and after transcripts show the same test count with updated cryptography and similar runtimes.
  • T-Rex compared cryptography 48.0.1 and 49.0.0 for a cryptography-backed SDK and confirmed Fernet/session-cookie/AES-GCM roundtrips succeed in both versions; no findings were filed because head matched the base behavior.

View all artifacts

T-Rex Ran code and verified through T-Rex

Prompt To Fix All With AI
Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
pyproject.toml:11
**Dependency range narrowed**
The new `cryptography~=49.0` requirement resolves to `>=49.0,<50.0`, so packages pinned to the current 48.x line can no longer install this SDK even though the PR says the goal is to allow `>=48`. This changes the published package contract in the opposite direction from the requested lower-bound widening and will force downstream consumers off 48.x immediately.

```suggestion
  "cryptography>=48",
```

Reviews (2): Last reviewed commit: "chore: bump cryptography to ~=49.0" | Re-trigger Greptile

@greptile-apps

greptile-apps Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

T-Rex pricing update — T-Rex was free through June 2026. Effective July 1, 2026, T-Rex adds 2 credits on top of the standard 1-credit review (3 total). T-Rex settings

Comment thread pyproject.toml Outdated

dependencies = [
"cryptography~=48.0",
"cryptography>=48",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Upper bound omitted
cryptography>=48 does not encode the intended <50 ceiling, so the published package metadata will accept cryptography 50+ immediately. This contradicts the PR summary's >=48,<50 compatibility window and removes the human-review gate for the next major from downstream resolution.

Artifacts

Repro: focused metadata and specifier evaluation script

  • Contains supporting evidence from the run (text/x-python; charset=utf-8).

Repro: script output showing cryptography 50.0.0 is permitted

  • Keeps the command output available without making the summary code-heavy.

View artifacts

T-Rex Ran code and verified through T-Rex

Prompt To Fix With AI
This is a comment left during a code review.
Path: pyproject.toml
Line: 11

Comment:
**Upper bound omitted**
`cryptography>=48` does not encode the intended `<50` ceiling, so the published package metadata will accept `cryptography` 50+ immediately. This contradicts the PR summary's `>=48,<50` compatibility window and removes the human-review gate for the next major from downstream resolution.

How can I resolve this? If you propose a fix, please make it concise.

Move the cryptography requirement from ~=48.0 to ~=49.0 (>=49.0,<50.0)
and re-lock to 49.0.0. The SDK only uses long-stable cryptography APIs
(Fernet, Cipher/algorithms/modes, default_backend in session.py and
vault/_resource.py), which are unchanged in the 49.x line.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@gjtorikian gjtorikian force-pushed the widen-cryptography-range branch from 169f65b to 01a3cf4 Compare June 30, 2026 22:51
@gjtorikian gjtorikian changed the title chore: widen cryptography lower bound to >=48 chore: bump cryptography to ~=49.0 Jun 30, 2026
Comment thread pyproject.toml

dependencies = [
"cryptography~=48.0",
"cryptography~=49.0",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Dependency range narrowed
The new cryptography~=49.0 requirement resolves to >=49.0,<50.0, so packages pinned to the current 48.x line can no longer install this SDK even though the PR says the goal is to allow >=48. This changes the published package contract in the opposite direction from the requested lower-bound widening and will force downstream consumers off 48.x immediately.

Suggested change
"cryptography~=49.0",
"cryptography>=48",
Artifacts

Repro: pip resolver script for a temporary consumer pinned to cryptography 48.x

  • Contains supporting evidence from the run (text/x-shellscript; charset=utf-8).

Repro: verbose pip output showing ResolutionImpossible for cryptography==48.0.0 versus workos cryptography~=49.0

  • Keeps the command output available without making the summary code-heavy.

Repro: uv resolver script attempted for a temporary consumer pinned to cryptography 48.x

  • Contains supporting evidence from the run (text/x-shellscript; charset=utf-8).

Repro: uv resolver attempt output showing uv was unavailable

  • Keeps the command output available without making the summary code-heavy.

Repro: wheel metadata extraction attempt output showing build tooling was unavailable

  • Keeps the command output available without making the summary code-heavy.

View artifacts

T-Rex Ran code and verified through T-Rex

Prompt To Fix With AI
This is a comment left during a code review.
Path: pyproject.toml
Line: 11

Comment:
**Dependency range narrowed**
The new `cryptography~=49.0` requirement resolves to `>=49.0,<50.0`, so packages pinned to the current 48.x line can no longer install this SDK even though the PR says the goal is to allow `>=48`. This changes the published package contract in the opposite direction from the requested lower-bound widening and will force downstream consumers off 48.x immediately.

```suggestion
  "cryptography>=48",
```

How can I resolve this? If you propose a fix, please make it concise.

@gjtorikian gjtorikian merged commit 2678ca4 into main Jul 1, 2026
11 checks passed
@gjtorikian gjtorikian deleted the widen-cryptography-range branch July 1, 2026 14:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant