Bump cryptography from 47.0.0 to 48.0.0

[dependabot]

Bumps cryptography from 47.0.0 to 48.0.0.

Changelog

Sourced from cryptography's changelog.

48.0.0 - 2026-05-04

* **BACKWARDS INCOMPATIBLE:** Support for Python 3.8 has been removed.
  ``cryptography`` now requires Python 3.9 or later.
* **BACKWARDS INCOMPATIBLE:** Loading an X.509 CRL whose inner
  ``TBSCertList.signature`` algorithm does not match the outer
  ``signatureAlgorithm`` now raises ``ValueError``. Previously, such CRLs
  were parsed successfully and only rejected during signature validation.
* Added support for :doc:`/hazmat/primitives/asymmetric/mlkem` and
  :doc:`/hazmat/primitives/asymmetric/mldsa` when using OpenSSL 3.5.0 or
  later, in addition to the existing AWS-LC and BoringSSL support. This means
  post-quantum algorithms are now available to users of our wheels.

Note: Going forward, we do not guarantee that all functionality

in cryptography will be available when building against

OpenSSL. See :doc:/statements/state-of-openssl for more information.

.. _v47-0-0:

Commits

• 8e03e30 bump for 48.0.0 release (#14796)
• 295e0d2 Add AGENTS.md with CLAUDE.md symlink (#14794)
• 104a2de Bump BoringSSL, OpenSSL, AWS-LC in CI (#14793)
• 67ec1e5 call check_length early on AesSiv::encrypt (#14792)
• b2da57a changelog for mldsa/mlkem for openssl (#14791)
• 3cf44ad ML-KEM OpenSSL support (#14781)
• 2e31639 ML-DSA OpenSSL support (#14773)
• 5affe5a fix rust nightly clippy (#14790)
• 2e73ca4 bump rust-openssl dep and update EcPoint::mul_generator to mul_generator2 (#1...
• 82ebd3b Bump BoringSSL, OpenSSL, AWS-LC in CI (#14785)
• Additional commits viewable in compare view

[github-actions]

🤖 Claude Code Review

PR Code Review

Reviewing the diff which updates the cryptography dependency from 47.0.0 to 48.0.0.

---

Code Quality

• ✅ Style guide: Single dependency version bump, no style concerns.
• ✅ No commented-out code: N/A
• ✅ Meaningful variable names: N/A
• ✅ DRY principle: N/A
• ✅ Defects: No logic errors. This is a straightforward dependency bump in pyproject.toml:39. The cryptography library is a security-sensitive package — bumping to 48.0.0 is appropriate and expected for vulnerability patches.
• ✅ CLAUDE.md: No concerns. The project config is appropriately general.

Testing

• ✅ No new code introduced; existing test suite covers dependency compatibility.
• ⚠️ Note: No evidence of test results in the diff. Assumes CI passes with cryptography==48.0.0. If there are any breaking API changes in 48.0.0, existing tests should catch them.

Documentation

• ✅ README: No update needed for a dev-dependency bump.
• ✅ CHANGELOG.md: Not updated — acceptable for an automated dependency bump PR (Dependabot-style), but worth confirming this project's policy on changelog entries for dependency updates.
• ✅ Markdown/CommonMark: N/A

Security

• ✅ No hardcoded credentials: N/A
• ✅ No sensitive data: N/A
• ✅ No .lic files: N/A
• ✅ Security posture: Bumping cryptography is a security-positive change. cryptography 48.0.0 addresses CVEs present in earlier versions. This bump is recommended.

---

Summary

Approve. This is a clean, single-line dependency version bump for cryptography (dev dependency, used in testing). No functional code changes. The update is security-positive and the change is scoped correctly to pyproject.toml. No documentation, testing, or security concerns.

Automated code review analyzing defects and coding standards

[github-actions]

🤖 Claude Code Review

PR Code Review

Summary: This PR bumps cryptography from 47.0.0 to 48.0.0 in the development dependencies.

---

Code Quality

• ✅ Style guide: Single-line version bump, no style concerns.
• ✅ No commented-out code
• ✅ DRY principle: No duplication introduced.
• ✅ Defects: No logic changes; this is a dependency version bump only. cryptography 48.0.0 is a legitimate release with no known critical regressions at time of review.
• ✅ CLAUDE.md: Not affected by this change.

Testing

• ✅ No new functions — existing test suite covers this dependency.
• ⚠️ Test coverage: No new tests added, which is appropriate for a dependency bump. Verify CI passes with the updated version.

Documentation

• ✅ README/API docs: No documentation changes needed for a dev-dependency version bump.
• ❌ CHANGELOG.md: No changelog entry. Dependency bumps are typically recorded — verify whether this project's convention requires a changelog entry for dependency updates (many projects exempt automated dependency bumps like Dependabot PRs from this requirement).

Security

• ✅ No hardcoded credentials
• ✅ No sensitive data
• ✅ No license files (.lic) checked in
• ✅ Security posture improved: cryptography 48.0.0 includes security fixes over 47.0.0. Bumping this dependency is the correct action.

---

Overall: This is a clean, minimal dependency bump. The only potential gap is a missing CHANGELOG entry — confirm whether your project convention requires one for automated dependency updates.

Automated code review analyzing defects and coding standards