Bump cryptography from 48.0.0 to 48.0.1

[dependabot]

Bumps cryptography from 48.0.0 to 48.0.1.

Changelog

Sourced from cryptography's changelog.

48.0.1 - 2026-06-09

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 4.0.1.
.. _v48-0-0:

Commits

• de987ce 48.0.1 version bump and changelog (#14996)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[claude]

Code Review: Bump cryptography from 48.0.0 to 48.0.1

Overview

This is a Dependabot-generated patch version bump of the cryptography library from 48.0.0 to 48.0.1. The single change updates the pinned version in requirements/base.txt.

---

What Changed

The 48.0.1 release recompiles the Windows, macOS, and Linux wheels against OpenSSL 4.0.1 (up from whatever OpenSSL 3.x was bundled in 48.0.0). There are no API changes, no new features, and no bug fixes to Python-level code — it is a pure OpenSSL rebuild.

---

Analysis

Security ✅

• OpenSSL 4.0.1 is the latest stable release and incorporates all upstream security fixes. Staying current here is the right call for a platform that handles legal documents and potentially sensitive cryptographic operations.
• No CVEs are listed in the changelog, but keeping the OpenSSL bundled binary up-to-date is good hygiene regardless.

Compatibility ✅

• Patch-level bump (48.0.0 → 48.0.1) with no Python API changes — zero risk of breakage for any code importing cryptography.
• The project already pins cryptography==48.0.0 (exact pin), so this is a straight substitution.

Change Scope ✅

• Minimal: exactly one line in requirements/base.txt. No lockfile or secondary requirements files need separate changes since the project uses direct pip install -r patterns.

Test Coverage ✅

• No code changes require new tests. The existing test suite exercising JWT/TLS/auth flows (via pyjwt which depends on cryptography) will validate the new wheel implicitly.

---

Suggestions

1. Consider unpinning to a range: The current exact pin (cryptography==48.0.1) means every patch release requires a Dependabot PR. A range like cryptography>=48.0.1,<49 would allow patch updates to land automatically while still preventing unexpected major/minor bumps. This is a minor nit and not a blocker.

2. CI validation: Ensure the CI pipeline runs against this bump before merging — the change is low-risk but the wheels do contain compiled Rust/C extensions, and a rebuild against a new OpenSSL occasionally surfaces platform-specific issues in CI environments (rare but worth confirming green).

---

Verdict

Approve and merge. This is a safe, routine security maintenance update. The only change is recompiling against the latest OpenSSL, which is strictly better from a security standpoint with no functional risk.