Summary
cryptography cannot be upgraded to 46.0.7 (which carries three security fixes) in the modules that depend on unstract-connectors, because snowflake-connector-python ~=3.14.0 pins cffi < 2.0.0 while cryptography 46.0.1+ requires cffi >= 2.0.0. The two are mutually exclusive, capping cryptography at 46.0.0 in those modules.
This surfaced during review of #2011 (Dependabot bumped cryptography to 46.0.7 only in platform-service/prompt-service, which have no snowflake dependency).
Affected modules (capped at cryptography 46.0.0, missing CVE fixes)
backend (lock: 46.0.0)workers (lock: 45.0.7)unstract/connectors (lock: 41.0.7)- root
uv.lock (lock: 46.0.0)
Missing security fixes
| cryptography |
CVE |
Issue |
46.0.5 |
CVE-2026-26007 |
Binary elliptic-curve private-key leak |
46.0.6 |
CVE-2026-34073 |
Name-constraint bypass with wildcard DNS SAN |
46.0.7 |
CVE-2026-39892 |
Buffer overflow on non-contiguous buffers |
Root cause
cryptography 46.0.1+ requires cffi >= 2.0.0 (Python >= 3.9)
snowflake-connector-python ~=3.14 requires cffi >= 1.9, < 2.0.0
unstract/connectors/pyproject.toml declares snowflake-connector-python[pandas]~=3.14.0. backend, workers, and the root project all depend on unstract-connectors, so cffi is forced < 2.0.0, which makes 46.0.0 the highest resolvable cryptography. Editing backend/pyproject.toml to cryptography>=46.0.7 makes the project unresolvable (uv lock fails).
Proposed fix
- Upgrade
snowflake-connector-python 3.14.x -> 4.x (4.x drops the cffi dependency entirely). Update the constraint in unstract/connectors/pyproject.toml.
- Re-lock the affected modules with
uv lock --upgrade-package cryptography --upgrade-package cffi.
- Align
backend/pyproject.toml cryptography floor to >=46.0.7 to match platform-service.
- Test the Snowflake connector — this is a two-major-version jump and may have breaking API changes.
Scope note
Out of scope for the lock-only Dependabot PR #2011, which should merge as-is.
Summary
cryptographycannot be upgraded to46.0.7(which carries three security fixes) in the modules that depend onunstract-connectors, becausesnowflake-connector-python ~=3.14.0pinscffi < 2.0.0whilecryptography 46.0.1+requirescffi >= 2.0.0. The two are mutually exclusive, capping cryptography at46.0.0in those modules.This surfaced during review of #2011 (Dependabot bumped cryptography to
46.0.7only inplatform-service/prompt-service, which have no snowflake dependency).Affected modules (capped at cryptography
46.0.0, missing CVE fixes)backend(lock:46.0.0)workers(lock:45.0.7)unstract/connectors(lock:41.0.7)uv.lock(lock:46.0.0)Missing security fixes
46.0.546.0.646.0.7Root cause
unstract/connectors/pyproject.tomldeclaressnowflake-connector-python[pandas]~=3.14.0.backend,workers, and the root project all depend onunstract-connectors, socffiis forced< 2.0.0, which makes46.0.0the highest resolvable cryptography. Editingbackend/pyproject.tomltocryptography>=46.0.7makes the project unresolvable (uv lockfails).Proposed fix
snowflake-connector-python3.14.x -> 4.x(4.x drops thecffidependency entirely). Update the constraint inunstract/connectors/pyproject.toml.uv lock --upgrade-package cryptography --upgrade-package cffi.backend/pyproject.tomlcryptography floor to>=46.0.7to matchplatform-service.Scope note
Out of scope for the lock-only Dependabot PR #2011, which should merge as-is.