Bump cryptography from 46.0.5 to 46.0.6

[dependabot]

Bumps cryptography from 46.0.5 to 46.0.6.

Changelog

Sourced from cryptography's changelog.

46.0.6 - 2026-03-25

* **SECURITY ISSUE**: Fixed a bug where name constraints were not applied
  to peer names during verification when the leaf certificate contains a
  wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug,
  including those used by the Web PKI. Credit to **Oleh Konko (1seal)** for
  reporting the issue. **CVE-2026-34073**
.. _v46-0-5:

Commits

• 91d7288 Cherry-pick #14542 (#14543)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerabilities reported by pip-audit, but cannot fix them automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
pygments	2.19.2	GHSA-5239-wwwm-4pmq	No fix available on PyPI

Why this cannot be auto-fixed

The vulnerability exists in pygments itself. The log states: "The project was informed of the problem early through an issue report but has not responded yet." A fix requires the upstream maintainers to release a new version. Once a patched release is published to PyPI, aieng-bot can re-run and apply the update automatically.

What was fixed automatically

• ✅ requests bumped from 2.32.5 → 2.33.0 to fix GHSA-gc5v-m9x4-r6x2

Recommended next steps

1. Monitor the vulnerability advisory for a patch release of pygments
2. Consider whether a pip-audit ignore/exception can be added temporarily with justification (requires human review)
3. Alternatively, consider whether pygments can be replaced with an alternative

This PR will not be auto-merged until the pygments vulnerability is resolved.

[amrit110]

Security Vulnerability — No Working Patch Available Yet

aieng-bot found the following security vulnerability reported by pip-audit, but cannot fix it automatically because the only available patched version introduces a regression that breaks CI:

Package	Version	Vulnerability	Status
pygments	2.19.2	GHSA-5239-wwwm-4pmq	No working fix available on PyPI

Why this cannot be auto-fixed

The vulnerability exists in pygments (ReDoS via inefficient regex in AdlLexer). The only version that claims to fix it is pygments 2.20.0, but that version introduces a regression: pygments.formatters.html.HtmlFormatter._decodeifneeded('') returns None instead of '', causing html.escape() to raise AttributeError: 'NoneType' object has no attribute 'replace' when building docs with pymdown-extensions.

aieng-bot attempted the upgrade to pygments>=2.20.0 but the build CI job failed with:

ERROR   -  Error reading page 'dev_guide.md': 'NoneType' object has no attribute 'replace'
AttributeError: 'NoneType' object has no attribute 'replace'

Recommended next steps

1. Monitor the pygments issue tracker for a 2.20.1 patch release that fixes the HTML formatter regression
2. Once a stable fixed release is published to PyPI, aieng-bot can re-run and apply the update automatically
3. Consider whether a temporary pip-audit ignore exception for GHSA-5239-wwwm-4pmq can be added with justification (requires human review) — note the vulnerability requires local access to exploit

This PR will not be auto-merged until the pygments vulnerability is resolved without breaking CI.