fix: bump cryptography to 46.0.7 for CVE-2026-39892

2026-05-01 07:13:00 +00:00 · 2026-04-09 05:17:31 +08:00
parent 0e590ff669
commit 8cdde16ac8
2 changed files with 41 additions and 39 deletions
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -161,13 +161,14 @@ info = "Commits must follow Conventional Commits 1.0.0."


 [tool.uv]
-exclude-newer = "3 days"
+exclude-newer = "2026-04-10"  # pinned for CVE-2026-39892; restore to "3 days" after 2026-04-11

 # composio-core pins rich<14 but textual requires rich>=14.
 # onnxruntime 1.24+ dropped Python 3.10 wheels; cap it so qdrant[fastembed] resolves on 3.10.
 # fastembed 0.7.x and docling 2.63 cap pillow<12; the removed APIs don't affect them.
 # langchain-core <1.2.11 has SSRF via image_url token counting (CVE-2026-26013).
 # transformers 4.57.6 has CVE-2026-1839; force 5.4+ (docling 2.84 allows huggingface-hub>=1).
+# cryptography 46.0.6 has CVE-2026-39892; force 46.0.7+.
 override-dependencies = [
    "rich>=13.7.1",
    "onnxruntime<1.24; python_version < '3.11'",
@@ -175,6 +176,7 @@ override-dependencies = [
    "langchain-core>=1.2.11,<2",
    "urllib3>=2.6.3",
    "transformers>=5.4.0; python_version >= '3.10'",
+    "cryptography>=46.0.7",
 ]

 [tool.uv.workspace]