Bump cryptography from 47.0.0 to 48.0.0

[dependabot]

Bumps cryptography from 47.0.0 to 48.0.0.

Changelog

Sourced from cryptography's changelog.

48.0.0 - 2026-05-04

* **BACKWARDS INCOMPATIBLE:** Support for Python 3.8 has been removed.
  ``cryptography`` now requires Python 3.9 or later.
* **BACKWARDS INCOMPATIBLE:** Loading an X.509 CRL whose inner
  ``TBSCertList.signature`` algorithm does not match the outer
  ``signatureAlgorithm`` now raises ``ValueError``. Previously, such CRLs
  were parsed successfully and only rejected during signature validation.
* Added support for :doc:`/hazmat/primitives/asymmetric/mlkem` and
  :doc:`/hazmat/primitives/asymmetric/mldsa` when using OpenSSL 3.5.0 or
  later, in addition to the existing AWS-LC and BoringSSL support. This means
  post-quantum algorithms are now available to users of our wheels.

Note: Going forward, we do not guarantee that all functionality

in cryptography will be available when building against

OpenSSL. See :doc:/statements/state-of-openssl for more information.

.. _v47-0-0:

Commits

• 8e03e30 bump for 48.0.0 release (#14796)
• 295e0d2 Add AGENTS.md with CLAUDE.md symlink (#14794)
• 104a2de Bump BoringSSL, OpenSSL, AWS-LC in CI (#14793)
• 67ec1e5 call check_length early on AesSiv::encrypt (#14792)
• b2da57a changelog for mldsa/mlkem for openssl (#14791)
• 3cf44ad ML-KEM OpenSSL support (#14781)
• 2e31639 ML-DSA OpenSSL support (#14773)
• 5affe5a fix rust nightly clippy (#14790)
• 2e73ca4 bump rust-openssl dep and update EcPoint::mul_generator to mul_generator2 (#1...
• 82ebd3b Bump BoringSSL, OpenSSL, AWS-LC in CI (#14785)
• Additional commits viewable in compare view

[github-actions]

🤖 Claude Code Review

PR Code Review

This is a minimal dependency bump PR. Here's the review:

Code Quality

• ✅ No style guide violations — single-line change in pyproject.toml
• ✅ No commented-out code
• ✅ N/A — no new variables or logic
• ✅ DRY principle — N/A
• ✅ No defects — straightforward version pin update from 47.0.0 to 48.0.0
• ✅ CLAUDE.md looks appropriate for general developer use

Testing

• ✅ N/A — dependency version bump; no new logic requires new tests
• ✅ Existing test suite covers behavior; cryptography is a dev dependency used indirectly

Documentation

• ❌ CHANGELOG.md not updated — dependency bumps should be noted in the changelog if one exists. Check if CHANGELOG.md is present and follows project conventions.
• ✅ No API or README changes needed for a dev dependency bump
• ✅ No inline comments needed

Security

• ✅ cryptography 48.0.0 is a security-relevant upgrade — bumping this library is a positive security action. CVE fixes are typically included in cryptography releases.
• ✅ No hardcoded credentials
• ✅ No sensitive data introduced
• ✅ No .lic files or AQAAAD-prefixed strings detected

---

Summary: This is a clean, low-risk dependency bump of cryptography (a dev dependency) from 47.0.0 to 48.0.0. The only finding is the missing CHANGELOG entry — approve if your project doesn't require changelogs for automated dependency bumps.

Automated code review analyzing defects and coding standards

[github-actions]

🤖 Claude Code Review

PR Code Review

This is a minimal dependency bump PR — cryptography from 47.0.0 to 48.0.0 in pyproject.toml.

---

Code Quality

• ✅ Style guide: Single-line change in pyproject.toml, no style concerns.
• ✅ No commented-out code
• ✅ Meaningful variable names: N/A
• ✅ DRY principle: N/A
• ✅ Defects: No logic changes introduced. cryptography 48.0.0 is a legitimate release. No security vulnerabilities introduced by this bump — in fact, upgrading cryptography typically resolves CVEs.
• ✅ CLAUDE.md: Nothing in the project config is relevant to this change.

Testing

• ❌ Unit/integration tests: No test changes accompany this bump. However, for a pure dependency version bump, this is acceptable if the existing test suite is expected to catch regressions. No new functionality was added requiring new tests.
• ⚠️ Test coverage: Cannot assess from this diff alone — existing tests should be run against the new version to confirm compatibility.

Documentation

• ✅ README: No update needed for a dev-dependency bump.
• ✅ API docs: N/A
• ✅ Inline comments: N/A
• ❌ CHANGELOG.md: No changelog entry is present. Dependency bumps, especially security-relevant ones like cryptography, are worth noting. Recommend adding an entry.
• ✅ Markdown formatting: N/A

Security

• ✅ No hardcoded credentials
• ✅ No sensitive data
• ✅ No license files (.lic) or AQAAAD-prefixed strings
• ✅ cryptography upgrade is a security-positive change — staying current on this library is important as it frequently patches CVEs.

---

Summary

A straightforward Dependabot-style bump of cryptography from 47.0.0 → 48.0.0 in the development dependency group. The change is safe and appropriate. The only recommendation is to add a CHANGELOG.md entry for the upgrade.

Automated code review analyzing defects and coding standards