From 1bc9fff766e37ae472ef21c5c58e7b82256f1b90 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Sun, 21 Jun 2026 03:15:05 +0000
Subject: [PATCH] CORE-1048: pin minimum versions for msgpack and cryptography
 to fix Dependabot alerts

- msgpack >=1.2.1 (fixes OOB read/crash on Unpacker reuse after caught error)
- cryptography >=48.0.1 (fixes vulnerable OpenSSL included in wheels)

Both are transitive dependencies pinned following the same pattern as idna.

Co-Authored-By: Itamar Hartstein <haritamar@gmail.com>
---
 pyproject.toml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pyproject.toml b/pyproject.toml
index 3e9e75002..6685f9776 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -29,6 +29,8 @@ dbt-core = ">=1.8,<2.0.0"
 requests = ">=2.28.1,<3.0.0"
 urllib3 = ">=2.7.0,<3.0.0"
 idna = ">=3.15,<4"  # transitive dependency via requests, pinned to address CVE-2025-46816
+msgpack = ">=1.2.1"  # transitive dependency via CacheControl, pinned to address GHSA OOB read
+cryptography = ">=48.0.1"  # transitive dependency via SecretStorage, pinned to address GHSA vulnerable OpenSSL
 beautifulsoup4 = "<5.0.0"
 ratelimit = "*"
 posthog = "<3.0.0"