chore: bump cryptography to ~=49.0#680
Conversation
d0b81ab to
169f65b
Compare
Greptile SummaryThis PR updates the
Confidence Score: 4/5Not safe to merge until the dependency specifier matches the intended compatibility range. The changed package metadata has a clear resolver-visible compatibility regression for consumers constrained to the 48.x cryptography line. pyproject.toml
What T-Rex did
Prompt To Fix All With AIFix the following 1 code review issue. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 1
pyproject.toml:11
**Dependency range narrowed**
The new `cryptography~=49.0` requirement resolves to `>=49.0,<50.0`, so packages pinned to the current 48.x line can no longer install this SDK even though the PR says the goal is to allow `>=48`. This changes the published package contract in the opposite direction from the requested lower-bound widening and will force downstream consumers off 48.x immediately.
```suggestion
"cryptography>=48",
```
Reviews (2): Last reviewed commit: "chore: bump cryptography to ~=49.0" | Re-trigger Greptile |
|
T-Rex pricing update — T-Rex was free through June 2026. Effective July 1, 2026, T-Rex adds 2 credits on top of the standard 1-credit review (3 total). T-Rex settings |
|
|
||
| dependencies = [ | ||
| "cryptography~=48.0", | ||
| "cryptography>=48", |
There was a problem hiding this comment.
Upper bound omitted
cryptography>=48 does not encode the intended <50 ceiling, so the published package metadata will accept cryptography 50+ immediately. This contradicts the PR summary's >=48,<50 compatibility window and removes the human-review gate for the next major from downstream resolution.
Artifacts
Repro: focused metadata and specifier evaluation script
- Contains supporting evidence from the run (text/x-python; charset=utf-8).
Repro: script output showing cryptography 50.0.0 is permitted
- Keeps the command output available without making the summary code-heavy.
Ran code and verified through T-Rex
Prompt To Fix With AI
This is a comment left during a code review.
Path: pyproject.toml
Line: 11
Comment:
**Upper bound omitted**
`cryptography>=48` does not encode the intended `<50` ceiling, so the published package metadata will accept `cryptography` 50+ immediately. This contradicts the PR summary's `>=48,<50` compatibility window and removes the human-review gate for the next major from downstream resolution.
How can I resolve this? If you propose a fix, please make it concise.Move the cryptography requirement from ~=48.0 to ~=49.0 (>=49.0,<50.0) and re-lock to 49.0.0. The SDK only uses long-stable cryptography APIs (Fernet, Cipher/algorithms/modes, default_backend in session.py and vault/_resource.py), which are unchanged in the 49.x line. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
169f65b to
01a3cf4
Compare
|
|
||
| dependencies = [ | ||
| "cryptography~=48.0", | ||
| "cryptography~=49.0", |
There was a problem hiding this comment.
Dependency range narrowed
The new cryptography~=49.0 requirement resolves to >=49.0,<50.0, so packages pinned to the current 48.x line can no longer install this SDK even though the PR says the goal is to allow >=48. This changes the published package contract in the opposite direction from the requested lower-bound widening and will force downstream consumers off 48.x immediately.
| "cryptography~=49.0", | |
| "cryptography>=48", |
Artifacts
Repro: pip resolver script for a temporary consumer pinned to cryptography 48.x
- Contains supporting evidence from the run (text/x-shellscript; charset=utf-8).
- Keeps the command output available without making the summary code-heavy.
Repro: uv resolver script attempted for a temporary consumer pinned to cryptography 48.x
- Contains supporting evidence from the run (text/x-shellscript; charset=utf-8).
Repro: uv resolver attempt output showing uv was unavailable
- Keeps the command output available without making the summary code-heavy.
Repro: wheel metadata extraction attempt output showing build tooling was unavailable
- Keeps the command output available without making the summary code-heavy.
Ran code and verified through T-Rex
Prompt To Fix With AI
This is a comment left during a code review.
Path: pyproject.toml
Line: 11
Comment:
**Dependency range narrowed**
The new `cryptography~=49.0` requirement resolves to `>=49.0,<50.0`, so packages pinned to the current 48.x line can no longer install this SDK even though the PR says the goal is to allow `>=48`. This changes the published package contract in the opposite direction from the requested lower-bound widening and will force downstream consumers off 48.x immediately.
```suggestion
"cryptography>=48",
```
How can I resolve this? If you propose a fix, please make it concise.
Summary
cryptographyrequirement from~=48.0to~=49.0(i.e.>=49.0,<50.0).uv.lock: cryptography48.0.1→49.0.0.Fernet, andCipher/algorithms/modes+default_backendinsession.py/vault/_resource.py), which are unchanged in the 49.x line.Test plan
uv sync --locked --devresolves cleanly against the new rangeuv run pytestpasses