Update dependency cryptography to v46.0.5 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
cryptography (changelog)	46.0.3 → 46.0.5

GitHub Vulnerability Alerts

CVE-2026-26007

Vulnerability Summary

The public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve.

This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup.

Only SECT curves are impacted by this.

Credit

This vulnerability was discovered by:

• XlabAI Team of Tencent Xuanwu Lab
• Atuin Automated Vulnerability Discovery Engine

---

Release Notes

pyca/cryptography (cryptography)

v46.0.5

Compare Source

v46.0.4

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
⚠️ ACTION	actionlint	4		3	0	0.06s
✅ COPYPASTE	jscpd	yes		no	no	2.03s
⚠️ DOCKERFILE	hadolint	2		1	0	0.08s
✅ JSON	jsonlint	3		0	0	0.31s
✅ JSON	prettier	3	0	0	0	0.49s
✅ JSON	v8r	3		0	0	2.73s
⚠️ MARKDOWN	markdownlint	12	0	17	0	1.22s
✅ MARKDOWN	markdown-table-formatter	12	0	0	0	0.29s
✅ PYTHON	bandit	7		0	0	1.4s
✅ PYTHON	black	7	0	0	0	1.72s
✅ PYTHON	flake8	7		0	0	0.87s
✅ PYTHON	isort	7	0	0	0	0.25s
⚠️ PYTHON	mypy	7		5	0	4.38s
✅ PYTHON	pylint	7		0	0	9.16s
⚠️ PYTHON	pyright	7		4	0	5.44s
✅ PYTHON	ruff	7	0	0	0	0.03s
✅ REPOSITORY	checkov	yes		no	no	19.68s
✅ REPOSITORY	gitleaks	yes		no	no	16.62s
✅ REPOSITORY	git_diff	yes		no	no	0.02s
⚠️ REPOSITORY	grype	yes		11	no	36.74s
✅ REPOSITORY	secretlint	yes		no	no	0.73s
✅ REPOSITORY	syft	yes		no	no	2.03s
❌ REPOSITORY	trivy	yes		1	no	13.45s
✅ REPOSITORY	trivy-sbom	yes		no	no	3.82s
✅ REPOSITORY	trufflehog	yes		no	no	3.94s
✅ SPELL	cspell	49		0	0	4.54s
⚠️ SPELL	lychee	30		2	0	21.1s
✅ YAML	prettier	15	0	0	0	0.91s
✅ YAML	v8r	15		0	0	7.96s
✅ YAML	yamllint	15		0	0	0.65s

Detailed Issues

❌ REPOSITORY / trivy - 1 error

│               │ https://avd.aquasec.com/nvd/cve-2025-69227                   │
│          ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2025-69228 │          │        │                   │               │ aiohttp: aiohttp: Denial of Service via memory exhaustion    │
│          │                │          │        │                   │               │ from crafted POST request...                                 │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-69228                   │
│          ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2025-69229 │          │        │                   │               │ aiohttp: AIOHTTP: Denial of Service via excessive CPU usage  │
│          │                │          │        │                   │               │ in chunked message...                                        │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-69229                   │
│          ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2025-69224 │ LOW      │        │                   │               │ aiohttp: aiohttp: Request smuggling via non-ASCII characters │
│          │                │          │        │                   │               │ in HTTP parser                                               │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-69224                   │
│          ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2025-69225 │          │        │                   │               │ aiohttp: aiohttp: Request smuggling vulnerability via        │
│          │                │          │        │                   │               │ non-ASCII decimals in Range header                           │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-69225                   │
│          ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2025-69226 │          │        │                   │               │ aiohttp: aiohttp: Information disclosure of path components  │
│          │                │          │        │                   │               │ via static file path normalization...                        │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-69226                   │
│          ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2025-69230 │          │        │                   │               │ aiohttp: aiohttp: Denial of Service via specially crafted    │
│          │                │          │        │                   │               │ invalid cookies                                              │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-69230                   │
├──────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ filelock │ CVE-2026-22701 │ MEDIUM   │        │ 3.20.1            │ 3.20.3        │ filelock: filelock Time-of-Check-Time-of-Use (TOCTOU) in     │
│          │                │          │        │                   │               │ SoftFileLock                                                 │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-22701                   │
├──────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ urllib3  │ CVE-2026-21441 │ HIGH     │        │ 2.6.2             │ 2.6.3         │ urllib3: urllib3 vulnerable to decompression-bomb safeguard  │
│          │                │          │        │                   │               │ bypass when following HTTP redirects (streaming...           │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-21441                   │
└──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

(Truncated to last 5000 characters out of 18618)

⚠️ ACTION / actionlint - 3 errors

.github/workflows/github-dependents-info.yml:53:9: shellcheck reported issue in this script: SC2086:info:1:15: Double quote to prevent globbing and word splitting [shellcheck]
   |
53 |         run: sudo chown -R $USER:$USER .
   |         ^~~~
.github/workflows/github-dependents-info.yml:53:9: shellcheck reported issue in this script: SC2086:info:1:21: Double quote to prevent globbing and word splitting [shellcheck]
   |
53 |         run: sudo chown -R $USER:$USER .
   |         ^~~~
.github/workflows/release.yml:63:9: shellcheck reported issue in this script: SC2086:info:1:55: Double quote to prevent globbing and word splitting [shellcheck]
   |
63 |         run: echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> ${GITHUB_ENV}
   |         ^~~~

⚠️ REPOSITORY / grype - 11 errors

[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) from=syft
NAME        INSTALLED  FIXED IN  TYPE    VULNERABILITY        SEVERITY  EPSS           RISK   
aiohttp     3.13.2     3.13.3    python  GHSA-6mq8-rvhq-8wgg  High      < 0.1% (18th)  < 0.1  
aiohttp     3.13.2     3.13.3    python  GHSA-6jhg-hg63-jvvf  Medium    < 0.1% (18th)  < 0.1  
aiohttp     3.13.2     3.13.3    python  GHSA-jj3x-wxrx-4x23  Medium    < 0.1% (18th)  < 0.1  
aiohttp     3.13.2     3.13.3    python  GHSA-g84x-mcqj-x9qq  Medium    < 0.1% (15th)  < 0.1  
aiohttp     3.13.2     3.13.3    python  GHSA-54jq-c3m8-4m76  Low       < 0.1% (18th)  < 0.1  
urllib3     2.6.2      2.6.3     python  GHSA-38jv-5279-wg99  High      < 0.1% (3rd)   < 0.1  
aiohttp     3.13.2     3.13.3    python  GHSA-mqqc-3gqh-h2x8  Low       < 0.1% (13th)  < 0.1  
aiohttp     3.13.2     3.13.3    python  GHSA-69f9-5gxw-wvc2  Low       < 0.1% (12th)  < 0.1  
aiohttp     3.13.2     3.13.3    python  GHSA-fh55-r93g-j68g  Low       < 0.1% (12th)  < 0.1  
filelock    3.20.1     3.20.3    python  GHSA-qmgc-5h2g-mvrw  Medium    < 0.1% (4th)   < 0.1  
virtualenv  20.35.4    20.36.1   python  GHSA-597g-3phw-6986  Medium    < 0.1% (4th)   < 0.1
[0036] ERROR discovered vulnerabilities at or above the severity threshold

⚠️ DOCKERFILE / hadolint - 1 error

Dockerfile:5 DL3013 warning: Pin versions in pip. Instead of `pip install <package>` use `pip install <package>==<version>` or `pip install --requirement <requirements file>`
docker/Dockerfile:7 DL3008 warning: Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`
docker/Dockerfile:12 DL3045 warning: `COPY` to a relative destination without `WORKDIR` set.
docker/Dockerfile:15 DL3003 warning: Use WORKDIR to switch to a directory
docker/Dockerfile:15 DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check
docker/Dockerfile:15 SC2226 warning: This ln has no destination. Check the arguments, or specify '.' explicitly.
docker/Dockerfile:24 DL3025 warning: Use arguments JSON notation for CMD and ENTRYPOINT arguments

⚠️ SPELL / lychee - 2 errors

[IGNORED] docker://nvuillam/github-dependents-info:v3.0.0 | Unsupported: Error creating request client: builder error for url (docker://nvuillam/github-dependents-info:v3.0.0)
[404] https://docs.github.com/en/github/administering-a-repository/keeping-your-dependencies-updated-automatically | Network error: Not Found
[404] https://github.com/actions-marketplace-validations/AkhileshNS_heroku-deploy | Network error: Not Found
📝 Summary
---------------------
🔍 Total..........177
✅ Successful.....138
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded........36
❓ Unknown..........0
🚫 Errors...........2

Errors in .github/dependabot.yml
[404] https://docs.github.com/en/github/administering-a-repository/keeping-your-dependencies-updated-automatically | Network error: Not Found

Errors in docs/github-dependents-info.md
[404] https://github.com/actions-marketplace-validations/AkhileshNS_heroku-deploy | Network error: Not Found

⚠️ MARKDOWN / markdownlint - 17 errors

.github/PULL_REQUEST_TEMPLATE.md:1 error MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## Description"]
docs/github-dependents-info.md:8:401 error MD013/line-length Line length [Expected: 400; Actual: 1092]
README.md:47:2 error MD045/no-alt-text Images should have alternate text (alt text)
README.md:48:2 error MD045/no-alt-text Images should have alternate text (alt text)
README.md:49:2 error MD045/no-alt-text Images should have alternate text (alt text)
README.md:50:2 error MD045/no-alt-text Images should have alternate text (alt text)
README.md:216:3 error MD051/link-fragments Link fragments should be valid [Context: "[Installation](#⚙️-installation)"]
README.md:217:3 error MD051/link-fragments Link fragments should be valid [Context: "[Usage](#🛠️-usage)"]
README.md:218:3 error MD051/link-fragments Link fragments should be valid [Context: "[Examples](#🧪-examples)"]
README.md:276 error MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:280 error MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:285 error MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:289 error MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:293 error MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:297 error MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:301 error MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:328:1 error MD045/no-alt-text Images should have alternate text (alt text)

⚠️ PYTHON / mypy - 5 errors

github_dependents_info/gh_dependents_info.py:50: error: Need type annotation for "packages" (hint: "packages: list[<type>] = ...")  [var-annotated]
github_dependents_info/gh_dependents_info.py:51: error: Need type annotation for "all_public_dependent_repos" (hint: "all_public_dependent_repos: list[<type>] = ...")  [var-annotated]
github_dependents_info/gh_dependents_info.py:52: error: Need type annotation for "badges" (hint: "badges: dict[<type>, <type>] = ...")  [var-annotated]
github_dependents_info/gh_dependents_info.py:53: error: Need type annotation for "result" (hint: "result: dict[<type>, <type>] = ...")  [var-annotated]
github_dependents_info/gh_dependents_info.py:240: error: Item "None" of "Path | None" has no attribute "mkdir"  [union-attr]
Found 5 errors in 1 file (checked 7 source files)

⚠️ PYTHON / pyright - 4 errors

github_dependents_info/__main__.py
  github_dependents_info/__main__.py:7:6 - error: Import "rich.console" could not be resolved (reportMissingImports)
github_dependents_info/gh_dependents_info.py
  github_dependents_info/gh_dependents_info.py:13:8 - error: Import "pandas" could not be resolved (reportMissingImports)
  github_dependents_info/gh_dependents_info.py:14:6 - error: Import "bs4" could not be resolved (reportMissingImports)
  github_dependents_info/gh_dependents_info.py:240:32 - error: "mkdir" is not a known attribute of "None" (reportOptionalMemberAccess)
4 errors, 0 warnings, 0 informations

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@beta --custom-flavor-setup --custom-flavor-linters PYTHON_PYLINT,PYTHON_BLACK,PYTHON_FLAKE8,PYTHON_ISORT,PYTHON_BANDIT,PYTHON_MYPY,PYTHON_PYRIGHT,PYTHON_RUFF,ACTION_ACTIONLINT,COPYPASTE_JSCPD,DOCKERFILE_HADOLINT,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_CSPELL,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository