Bump cryptography from 46.0.6 to 46.0.7 in the uv group across 1 directory

[dependabot]

Bumps the uv group with 1 update in the / directory: cryptography.

Updates cryptography from 46.0.6 to 46.0.7

Changelog

Sourced from cryptography's changelog.

46.0.7 - 2026-04-07

* **SECURITY ISSUE**: Fixed an issue where non-contiguous buffers could be
  passed to APIs that accept Python buffers, which could lead to buffer
  overflow. **CVE-2026-39892**
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.6.
.. _v46-0-6:

Commits

• 622d672 46.0.7 release (#14602)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Greptile Summary

This PR is a security patch update bumping cryptography from 46.0.6 to 46.0.7, generated by Dependabot. It addresses CVE-2026-39892, a buffer overflow vulnerability caused by non-contiguous buffers being passed to Python buffer APIs, and also updates the bundled OpenSSL wheels to 3.5.6.

Confidence Score: 5/5

Safe to merge — this is a pure security patch with no API changes.

Patch-level bump (46.0.6 → 46.0.7) that fixes a CVE with no breaking changes; lockfile hashes are correctly regenerated by Dependabot.

No files require special attention.

Vulnerabilities

• This update resolves CVE-2026-39892: a buffer overflow in cryptography (≤46.0.6) where non-contiguous Python buffers could be passed to internal buffer APIs, potentially leading to memory corruption. Merging this PR removes the vulnerability.

Important Files Changed

Filename	Overview
requirements.txt	Bumps cryptography pin from 46.0.6 to 46.0.7 to address CVE-2026-39892.
uv.lock	Lockfile updated with new hashes, URLs, and wheel entries for cryptography 46.0.7 across all supported platforms.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Dependabot detects CVE-2026-39892] --> B[Bump cryptography 46.0.6 → 46.0.7]
    B --> C[Update requirements.txt pin]
    B --> D[Regenerate uv.lock hashes & wheels]
    C --> E[OpenSSL updated to 3.5.6 in wheels]
    D --> E
    E --> F[Buffer overflow vulnerability resolved]

Loading

_{Reviews (1): Last reviewed commit: "Bump cryptography in the uv group across..." | Re-trigger Greptile}