fix: ignore GHSA-p423-j2cm-9vmq until cryptography 46.0.7 is released

datasciencemonkey · datasciencemonkey · commit 3bb9d2e9692f · 2026-04-08T17:54:54.000-04:00
Pin cryptography&gt;=46.0.6 and suppress the audit warning for the
buffer overflow CVE — fix version 46.0.7 is not yet available on PyPI.
diff --git a/.github/workflows/dependency-audit.yml b/.github/workflows/dependency-audit.yml
@@ -53,7 +53,8 @@ jobs:
             # platform-conditional deps (greenlet) missing from the lockfile.
             # The hashes are verified at install time, not audit time.
             sed '/^[[:space:]]*--hash/d' requirements.lock > /tmp/requirements.lock.nohash
-            pip-audit -r /tmp/requirements.lock.nohash --desc on
+            # GHSA-p423-j2cm-9vmq: cryptography 46.0.7 not yet released — ignore until available
+            pip-audit -r /tmp/requirements.lock.nohash --desc on --ignore-vuln GHSA-p423-j2cm-9vmq
           else
             echo "::warning::No requirements.lock found — auditing requirements.txt (unpinned)"
             pip-audit -r requirements.txt --desc on
diff --git a/pyproject.toml b/pyproject.toml
@@ -12,7 +12,7 @@ dependencies = [
     "mlflow-tracing>=3.4",
     "opentelemetry-exporter-otlp-proto-grpc",
     "requests",
-    "cryptography",
+    "cryptography>=46.0.6",
 ]
 
 [tool.uv]

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ dependencies = [`
`12`	`12`	`"mlflow-tracing>=3.4",`
`13`	`13`	`"opentelemetry-exporter-otlp-proto-grpc",`
`14`	`14`	`"requests",`
`15`		`- "cryptography",`
	`15`	`+ "cryptography>=46.0.6",`
`16`	`16`	`]`
`17`	`17`
`18`	`18`	`[tool.uv]`