Bump cryptography from 44.0.2 to 48.0.1 in /experiments/agentcompany/openhands#40
Open
dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [cryptography](https://github.com/pyca/cryptography) from 44.0.2 to 48.0.1. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@44.0.2...48.0.1) --- updated-dependencies: - dependency-name: cryptography dependency-version: 48.0.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| compressed-tensors==0.6.0 | ||
| contourpy==1.3.1 | ||
| cryptography==44.0.2 | ||
| cryptography==48.0.1 |
There was a problem hiding this comment.
pyOpenSSL==25.0.0
pyOpenSSL 25.0.0 declares cryptography<45,>=41.0.5 as its dependency. Pinning cryptography==48.0.1 violates that upper bound, so pip install -r requirements.txt will fail with a dependency resolution error. The first pyOpenSSL release that raised the ceiling to 48.x is 26.2.0; pyOpenSSL==25.0.0 on line 137 would need to be bumped in tandem for this environment to install.
Prompt To Fix With AI
This is a comment left during a code review.
Path: experiments/agentcompany/openhands/requirements.txt
Line: 28
Comment:
**Version conflict with `pyOpenSSL==25.0.0`**
`pyOpenSSL 25.0.0` declares `cryptography<45,>=41.0.5` as its dependency. Pinning `cryptography==48.0.1` violates that upper bound, so `pip install -r requirements.txt` will fail with a dependency resolution error. The first pyOpenSSL release that raised the ceiling to 48.x is 26.2.0; `pyOpenSSL==25.0.0` on line 137 would need to be bumped in tandem for this environment to install.
How can I resolve this? If you propose a fix, please make it concise.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps cryptography from 44.0.2 to 48.0.1.
Changelog
Sourced from cryptography's changelog.
... (truncated)
Commits
de987ce48.0.1 version bump and changelog (#14996)8e03e30bump for 48.0.0 release (#14796)295e0d2Add AGENTS.md with CLAUDE.md symlink (#14794)104a2deBump BoringSSL, OpenSSL, AWS-LC in CI (#14793)67ec1e5call check_length early on AesSiv::encrypt (#14792)b2da57achangelog for mldsa/mlkem for openssl (#14791)3cf44adML-KEM OpenSSL support (#14781)2e31639ML-DSA OpenSSL support (#14773)5affe5afix rust nightly clippy (#14790)2e73ca4bump rust-openssl dep and update EcPoint::mul_generator to mul_generator2 (#1...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Greptile Summary
This PR bumps
cryptographyfrom 44.0.2 to 48.0.1 in the agentcompany/openhands requirements file via Dependabot. However, the file also pinspyOpenSSL==25.0.0, which declares a hard upper bound ofcryptography<45— meaning the two pinned versions are mutually incompatible and the environment cannot be installed as-is.cryptographyis incremented by 4 major versions (44 → 48), spanning multiple backwards-incompatible releases (Python 3.8 removal,SECT*curve removal, OpenSSL 1.1.x removal, exception-type change for unsupported keys).pyOpenSSL==25.0.0requirescryptography<45,>=41.0.5; support for cryptography 48.x was only added inpyOpenSSL 26.2.0. Both pins must be updated together.Confidence Score: 1/5
The requirements file cannot be installed: pyOpenSSL 25.0.0 caps cryptography below 45, but cryptography is now pinned at 48.0.1.
The two explicit pins — pyOpenSSL==25.0.0 and cryptography==48.0.1 — are directly incompatible: pyOpenSSL 25.0.0 declares cryptography<45 as a hard constraint, so pip will refuse to resolve the environment. The cryptography bump cannot be merged without a matching pyOpenSSL bump to at least 26.2.0.
experiments/agentcompany/openhands/requirements.txt — both cryptography and pyOpenSSL lines need to be updated together.
Important Files Changed
Flowchart
%%{init: {'theme': 'neutral'}}%% flowchart TD A["pip install -r requirements.txt"] --> B["Resolve cryptography==48.0.1"] A --> C["Resolve pyOpenSSL==25.0.0"] C --> D["Requires: cryptography>=41.0.5,<45"] B --> E["cryptography 48.0.1 ≥ 45"] D & E --> F["❌ Dependency conflict\nResolution fails"] F --> G["Fix: bump pyOpenSSL to ≥26.2.0\n(first release supporting cryptography 48.x)"]%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%% flowchart TD A["pip install -r requirements.txt"] --> B["Resolve cryptography==48.0.1"] A --> C["Resolve pyOpenSSL==25.0.0"] C --> D["Requires: cryptography>=41.0.5,<45"] B --> E["cryptography 48.0.1 ≥ 45"] D & E --> F["❌ Dependency conflict\nResolution fails"] F --> G["Fix: bump pyOpenSSL to ≥26.2.0\n(first release supporting cryptography 48.x)"]Prompt To Fix All With AI
Reviews (1): Last reviewed commit: "Bump cryptography in /experiments/agentc..." | Re-trigger Greptile