Upgrade cryptography

[adrianlindell]

Summary

Fix high severity vulnerability by upgrading cryptography module.
Upgrade cryptography@46.0.5 to cryptography@48.0.1 to fix
Out-of-bounds Read [High Severity][https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-17344551]

Version/Tag number

0.1.10

Additional Information

Pin the cryptography dependency version to >= instead of ~= so the cryptography dependency major version can be increased from the user side.

[tybruno]

Additional context

We are blocked from upgrading cryptography in a downstream Python project that depends on conjur-api>=0.1.9 because of the current pin in conjur-api 0.1.10:

cryptography~=46.0.5

Security advisory

• GHSA: GHSA-537c-gmf6-5ccf
• CVE: CVE-2026-34180
• Severity: Moderate (GitHub Advisory Database)
• Patched in: cryptography>=48.0.1
• Details: Pre-48.0.1 PyPI wheels bundle a vulnerable statically linked OpenSSL. See the pyca/cryptography advisory.

Reproduction

With uv (or any resolver that honors dependency metadata):

[project]
dependencies = [
    "conjur-api>=0.1.9",
    "cryptography>=48.0.1",
]

uv lock
# → unsatisfiable: conjur-api pins cryptography to >=46.0.5,<46.1.dev0

Suggested fix

Relax the pin so consumers can pull patched cryptography releases. For example:

cryptography>=46.0.5

or, if compatibility with 48.x has been verified:

cryptography>=48.0.1

A new conjur-api release on PyPI with the updated constraint would unblock downstream security maintenance without requiring consumers to override dependency resolution.