DEN-5827: Fix GHSA-r6ph-v2qm-q3c2: Upgrade cryptography to 46.0.5

[Copilot]

Proposed change

Addresses HIGH severity vulnerability (GHSA-r6ph-v2qm-q3c2) in cryptography package - missing subgroup validation for SECT curves enabling subgroup attacks.

Implementation Reasoning:
Upgrading the cryptography package to 46.0.5 which includes proper subgroup validation for SECT curves, preventing subgroup attacks. This is a direct dependency upgrade - straightforward version bump in pyproject.toml (if specified) and lock file regeneration with uv. Using uv's --upgrade-package flag ensures only cryptography and its direct dependencies are updated, minimizing risk of unintended changes.

Changes:

• uv.lock: cryptography 46.0.4 → 46.0.5

References:

• Jira: DEN-5827
• GitHub Alert: Bump urllib3 from 1.26.4 to 1.26.5 #39
• Advisory: GHSA-r6ph-v2qm-q3c2

How to test the change

# Verify version in lock file
grep -A2 'name = "cryptography"' uv.lock | grep version

# Run test suite
uv sync --extra dev
uv run pytest

Checklist

• Tests have been added to verify that the new code works (if possible)
• Documentation has been updated to reflect changes
• CHANGELOG.md has been updated to reflect changes

---

cc @fabioueno for review

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• astral.sh
  • Triggering command: /usr/bin/curl curl -LsSf REDACTED (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Create a branch named den-5827-fix-cryptography-vulnerability

Jira Ticket: DEN-5827
Security Alert: Github_Security_Alert - cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves

Context:
This is a security vulnerability fix for GHSA-r6ph-v2qm-q3c2 in the cryptography package used by the auto-pr tool.

Vulnerability Details:

• CVE/GHSA: GHSA-r6ph-v2qm-q3c2
• Severity: HIGH
• Package: cryptography
• Vulnerable Version/Range: <= 46.0.4
• Patched Version: 46.0.5

Work Needed:

• Locate the cryptography dependency in pyproject.toml or uv.lock
• Upgrade cryptography from current version (<= 46.0.4) to patched version 46.0.5
• Update uv.lock file by running uv lock --upgrade-package cryptography or uv sync --upgrade-package cryptography
• Verify patched version 46.0.5 appears in uv.lock
• Run tests following repository's documented test process (check README.md, Makefile, or CI workflows in .github/workflows/)

⚠️ PR Description Requirements:

• ALWAYS include the "Implementation Reasoning" section below in the PR description on GitHub

Implementation Reasoning:
Upgrading the cryptography package to 46.0.5 which includes proper subgroup validation for SECT curves, preventing subgroup attacks. This is a direct dependency upgrade - straightforward version bump in pyproject.toml (if specified) and lock file regeneration with uv. Using uv's --upgrade-package flag ensures only cryptography and its direct dependencies are updated, minimizing risk of unintended changes.

Security Considerations:

• Ensure cryptography 46.0.5 actually appears in uv.lock after the update
• Run all tests to verify no breaking changes
• This fix addresses a HIGH severity vulnerability related to elliptic curve cryptography

Acceptance Criteria:

• cryptography 46.0.5 confirmed in uv.lock
• All existing tests pass with upgraded dependency
• PR includes links to DEN-5827, GitHub alert Bump urllib3 from 1.26.4 to 1.26.5 #39, and GHSA-r6ph-v2qm-q3c2

⚠️ Security Fix: This PR addresses a HIGH severity vulnerability in elliptic curve cryptography. Please review carefully.

Ask @fabioueno for a review.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.