Bump cryptography from 46.0.5 to 46.0.6 in the uv group across 1 directory

[dependabot]

Bumps the uv group with 1 update in the / directory: cryptography.

Updates cryptography from 46.0.5 to 46.0.6

Changelog

Sourced from cryptography's changelog.

46.0.6 - 2026-03-25

* **SECURITY ISSUE**: Fixed a bug where name constraints were not applied
  to peer names during verification when the leaf certificate contains a
  wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug,
  including those used by the Web PKI. Credit to **Oleh Konko (1seal)** for
  reporting the issue. **CVE-2026-34073**
.. _v46-0-5:

Commits

• 91d7288 Cherry-pick #14542 (#14543)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Greptile Summary

This PR is a security-driven dependency bump for the cryptography package from 46.0.5 to 46.0.6, generated by Dependabot.

• Security fix (CVE-2026-34073): Patches a bug where X.509 name constraints were not enforced against peer names when the leaf certificate contains a wildcard DNS SAN. While the Web PKI is not affected, other certificate topologies using wildcard SANs with name constraints may have been vulnerable to improper certificate acceptance.
• requirements.txt is updated to pin cryptography==46.0.6.
• uv.lock is updated with new checksums and download URLs for the cryptography 46.0.6 distribution across all supported platforms (macOS universal2, manylinux, musllinux, Windows — for cp38-abi3, cp311-abi3, and cp314-cp314t ABIs).
• No application code was changed; this is a pure dependency update.

Confidence Score: 5/5

Safe to merge — this is a targeted security patch with no breaking changes and no application logic modifications.

The change is a pure patch-level dependency bump (46.0.5 → 46.0.6) that addresses a CVE. Both changed files (requirements.txt and uv.lock) are correctly updated and consistent with each other. All wheel hashes in the lock file correspond to the official PyPI release. There are no code changes, no API surface changes, and the cryptography changelog notes that ordinary X.509 / Web PKI topologies are unaffected by the bug being fixed.

No files require special attention.

Important Files Changed

Filename	Overview
requirements.txt	Version bump for cryptography from 46.0.5 to 46.0.6 to address CVE-2026-34073 (wildcard DNS SAN name constraint bypass).
uv.lock	Lock file updated with new sdist and wheel hashes for cryptography 46.0.6 across all supported platforms and Python ABI targets.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["CVE-2026-34073 Reported\n(Wildcard DNS SAN + Name Constraints bypass)"] --> B["cryptography 46.0.6 Released\n2026-03-25"]
    B --> C["Dependabot detects new version"]
    C --> D["PR #58 opened"]
    D --> E["requirements.txt\ncryptography==46.0.5 → 46.0.6"]
    D --> F["uv.lock\nAll wheel hashes updated\n(cp38-abi3, cp311-abi3, cp314-cp314t)"]
    E --> G["Security patch applied ✅"]
    F --> G

Loading

_{Reviews (1): Last reviewed commit: "Bump cryptography in the uv group across..." | Re-trigger Greptile}

Release Notes

• Security Update: Bump cryptography from 46.0.5 to 46.0.6
  • Addresses CVE-2026-34073: DNS name constraints were not being applied to peer names during verification when the leaf certificate contains a wildcard DNS SAN
  • Updated requirements.txt to pin cryptography==46.0.6
  • Refreshed uv.lock with updated checksums and URLs for cryptography 46.0.6

Contribution Summary

Author	Lines Added	Lines Removed
dependabot[bot]	1	1

[mvfc]

@coderabbitai

@greptileai

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@mvfc It looks like your comment got cut off! 😊 How can I help you with this PR?

If you'd like me to review the changes, I can do that. Or if you'd like me to approve this security patch (bumping cryptography to 46.0.6 to address CVE-2026-34073), just let me know!

[coderabbitai]

@mvfc, happy to review this security dependency bump! Here's a quick summary of what this PR addresses:

CVE-2026-34073 — Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com.

To close this gap, cryptography now conservatively rejects any validation where the peer name would be rejected by a name constraint if it were a SAN instead.

In practice, exploitation of this bypass requires an uncommon X.509 topology — one that the Web PKI avoids — and is consequently considered medium-to-low impact severity. The CVSS 4.0 base score is 1.7 (LOW).

Triggering a full review now.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 235a8a23-d01b-484d-87f0-919d3746518a

📥 Commits

Reviewing files that changed from the base of the PR and between 4061427 and 4cc073a.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• requirements.txt

---

📝 Walkthrough

Walkthrough

Updated the cryptography dependency version from 46.0.5 to 46.0.6 in requirements.txt. This is a patch-level version bump with no other changes to the dependency manifest.

Changes

Cohort / File(s)	Summary
Dependency Updates requirements.txt	Bumped cryptography package from version 46.0.5 to 46.0.6.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested labels

reviewed

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: a patch-level version bump of the cryptography dependency from 46.0.5 to 46.0.6.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/uv/uv-6ba9ca5f64

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@mvfc It looks like your comment may have been cut off again — I only see the mentions with no message body! 😊

Could you let me know what you'd like help with? For example:

• Approve this PR — I can approve the cryptography 46.0.6 security bump (CVE-2026-34073).
• Full review — I can do a detailed review of the requirements.txt and uv.lock changes.
• Something else — Just let me know!

[mvfc]

Tip

For best results, initiate chat on the files or code changes.

@mvfc It looks like your comment may have been cut off again — I only see the mentions with no message body! 😊

Could you let me know what you'd like help with? For example:

• Approve this PR — I can approve the cryptography 46.0.6 security bump (CVE-2026-34073).
• Full review — I can do a detailed review of the requirements.txt and uv.lock changes.
• Something else — Just let me know!

@coderabbitai check if bumping this version can have any unintended consequences on the application itself please

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

I'll look at how the application uses the cryptography library and check the 46.0.6 release notes for any breaking changes.

---

🏁 Script executed:

#!/bin/bash
# Find all Python files that import or use cryptography
echo "=== Files importing cryptography ==="
rg -n --type py "from cryptography|import cryptography" -C2

echo ""
echo "=== All requirements/dependencies ==="
cat requirements.txt

echo ""
echo "=== Cryptography-related usage patterns ==="
rg -n --type py "cryptography\." -C2

Length of output: 1042

---

🌐 Web query:

cryptography python library 46.0.6 changelog release notes breaking changes

💡 Result:

cryptography 46.0.6 (released 2026-03-25) — release notes / changelog

• Security fix (CVE-2026-34073): Fixed a bug where X.509 name constraints were not applied to peer names during verification when the leaf certificate contains a wildcard DNS SAN. The project notes that ordinary X.509 topologies (including typical Web PKI use) are not affected. [1]
• Breaking changes: None called out in the 46.0.6 changelog entry (it is a targeted security/bugfix release). [1]

Release date confirmation (PyPI): 46.0.6 published Mar 25, 2026. [2]

Sources: [1] Cryptography 46.0.6 changelog, [2] PyPI release history for cryptography.

---

@mvfc, I've checked the application's usage of cryptography and the 46.0.6 release notes. This bump is safe with no unintended consequences. Here's why:

---

What the application uses (src/bw_client.py)

Import	Purpose
cryptography.hazmat.primitives.ciphers.aead.AESGCM	AES-GCM symmetric encryption/decryption
cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC	Password-based key derivation
cryptography.hazmat.primitives.hashes	Hash primitives (e.g. SHA-256)

These are all symmetric cryptography primitives — completely independent of X.509, TLS, or certificate verification code.

---

What 46.0.6 actually changes

The only change in 46.0.6 is the security fix for CVE-2026-34073: X.509 name constraints were not applied to peer names during verification when the leaf certificate contains a wildcard DNS SAN. No breaking changes are called out in the 46.0.6 changelog — it is a targeted security/bugfix release.

---

Conclusion

The CVE fix is scoped exclusively to X.509 certificate peer name validation, which this application never invokes. The APIs in use (AESGCM, PBKDF2HMAC, hashes) are entirely unaffected. You can safely merge this PR.