Skip to content

Resolve cryptography vulnerability alert#115

Merged
pda merged 2 commits into
mainfrom
resolve-cryptography-vulnerability
Jun 29, 2026
Merged

Resolve cryptography vulnerability alert#115
pda merged 2 commits into
mainfrom
resolve-cryptography-vulnerability

Conversation

@pda

@pda pda commented Jun 29, 2026

Copy link
Copy Markdown
Member

Update the lockfile so the Dependabot alert for GHSA-537c-gmf6-5ccf no longer contains a vulnerable cryptography wheel entry. The vulnerable path is release/dev tooling (twine/keyring) rather than collector runtime code.

Changes

  • Update uv.lock from cryptography 46.0.7 to 49.0.0, above the advisory's patched floor of 48.0.1.
  • Keep package/runtime Python support at >=3.9.
  • Gate the dev extra's twine dependency to python_full_version >= '3.9.1', so exact Python 3.9.0 runtime installs remain supported without resolving the vulnerable dev-only dependency path.

Verification

  • uv lock --check
  • uv sync --all-extras --locked
  • uv tree --all-groups --python-version 3.9.0 --python-platform linux (runtime deps present; no twine/cryptography path)
  • uv tree --all-groups --python-version 3.9.1 --python-platform linux (twine present with cryptography 49.0.0)
  • uv run pytest tests (103 passed, 5 skipped)

Deployment

Low risk. This only changes dev dependency resolution and the lockfile; Python 3.9 runtime support remains unchanged.

Rollback

Revert this PR to restore the previous lockfile and dev dependency metadata. That would reopen this Dependabot alert until another mitigation is applied.

Related

  • Resolves TE-6220

Update the lockfile to cryptography 49.0.0 so the Dependabot
alert for GHSA-537c-gmf6-5ccf no longer contains a vulnerable
cryptography wheel entry. The alert comes through the release/dev
path via twine and keyring rather than the collector runtime.

cryptography's patched releases no longer cover the exact Python
3.9.0 floor, so narrow the package metadata and README from >=3.9
to >=3.9.1. This preserves the existing Python 3.9 CI line while
allowing uv to resolve one patched cryptography version for the full
supported range.

Validated with uv lock --check, uv sync --all-extras, a Linux Python
3.9.6 dry-run sync, and uv run pytest tests.

Amp-Thread-ID: https://ampcode.com/threads/T-019f10cc-55c9-70ee-9345-5dc089037b98
Co-authored-by: Amp <amp@ampcode.com>
@pda pda requested a review from buildsworth-bk June 29, 2026 00:39
@pda pda enabled auto-merge June 29, 2026 00:43
@pda pda requested a review from a team June 29, 2026 00:43

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 883268990e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread pyproject.toml Outdated
description = "Buildkite Test Engine collector"
readme = "README.md"
requires-python = ">=3.9"
requires-python = ">=3.9.1"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Restore package-level support for Python 3.9.0

When installing the collector without the dev extra on exact CPython 3.9.0, this package-wide Requires-Python now makes pip/uv reject the release even though the runtime dependency list (requests, pytest, filelock) has not gained any 3.9.1-only requirement; the vulnerable cryptography path is only reached via the dev extra (twine/keyring/SecretStorage). Please keep the project metadata at >=3.9 and constrain or remove the dev-only dependency path instead, otherwise users on the previously supported 3.9.0 runtime are unnecessarily blocked.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 Good catch — fixed in ffa8c4a. I restored package/runtime support to >=3.9 and instead gated the dev-only twine dependency to python_full_version >= '3.9.1', which removes the vulnerable twinekeyringSecretStoragecryptography path only for exact Python 3.9.0. The lockfile still contains only patched cryptography 49.0.0, and I validated that the Python 3.9.0 Linux dependency tree retains runtime deps without twine/cryptography.

Address PR review feedback by restoring the package metadata and README
to the original >=3.9 runtime support range. The vulnerable dependency
path is dev and release tooling only, so avoid blocking runtime users on
exact Python 3.9.0.

Constrain the dev extra's twine dependency to Python >=3.9.1 instead.
That removes the twine -> keyring -> SecretStorage -> cryptography path
from exact 3.9.0, while keeping twine available for the existing 3.9 CI
line and newer supported versions. The lockfile still contains only
cryptography 49.0.0, which is above the patched floor for
GHSA-537c-gmf6-5ccf.

Validated with uv lock --check, uv sync --all-extras --locked, a Python
3.9.0 Linux dependency tree check, a Python 3.9.1 Linux dependency tree
check, and uv run pytest tests.

Amp-Thread-ID: https://ampcode.com/threads/T-019f10cc-55c9-70ee-9345-5dc089037b98
Co-authored-by: Amp <amp@ampcode.com>
@pda pda requested review from buildsworth-bk and removed request for buildsworth-bk June 29, 2026 01:09
@pda

pda commented Jun 29, 2026

Copy link
Copy Markdown
Member Author

@buildsworth-bk review

@pda

pda commented Jun 29, 2026

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Delightful!

Reviewed commit: ffa8c4a3b7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@pda pda merged commit 6683895 into main Jun 29, 2026
13 checks passed
@pda pda deleted the resolve-cryptography-vulnerability branch June 29, 2026 02:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants