Upgrade cryptography package to fix vulnerable OpenSSL

[gsingh935]

Upgrade cryptography package to fix vulnerable OpenSSL

GHSA-h4gh-qq45-vh27

[boring-cyborg]

Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contributors' Guide (https://github.com/apache/airflow/blob/main/contributing-docs/README.rst)
Here are some useful points:

• Pay attention to the quality of your code (ruff, mypy and type annotations). Our pre-commits will help you with that.
• In case of a new feature add useful documentation (in docstrings or in docs/ directory). Adding a new operator? Check this short guide Consider adding an example DAG that shows how users should use it.
• Consider using Breeze environment for testing locally, it's a heavy docker but it ships with a working Airflow and a lot of integrations.
• Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
• Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
• Be sure to read the Airflow Coding style.
• Always keep your Pull Requests rebased, otherwise your build might fail due to changes not related to your commits.
  Apache Airflow is a community-driven project and together we are making it better 🚀.
  In case of doubts contact the developers at:
  Mailing List: dev@airflow.apache.org
  Slack: https://s.apache.org/airflow-slack

[pierrejeambrun]

@potiuk nothing more to do about constraints ? That will just be fixed in next patch release ?

[potiuk]

Those are completely different requirements - they are not airflow depdendencies - if you read README those dev/requirments.txt are only used for dev tooling - why do you want to add cryptoghraphy there @gsingh935 ? This makes no sense whatsoever. Was it some AI -generated change?

[potiuk]

BTW. That issue picked my interest - and I looked closely - it seems that the "constraint" cryptography is held by yandexcloud - and I created an issue for them to address it yandex-cloud/python-sdk#131

I think it's an important one and we should even consider suspending Yandexcloud if they cannot lift the limitation. But FYI @gsingh935 -> if you are not using yandexcloud, you are absolutely free to upgrade cryptography on your own. Our constraints are just constraints, not requirements, and if you think you should upgrade a dependency for whatever reason and airflow does not "hold" the dependency as a requirement - you are on your own to do it, we are not preventing it, you just need to make sure to test if it will work for you.

[potiuk]

I am closing this issue as this was really wrongly addressing the issue.

[gsingh935]

@potiuk - seems like the cryptography version for yandex-cloud has already been bumped to 43.0.1 which should address the issue.
https://github.com/yandex-cloud/python-sdk/pull/127/files

[pierrejeambrun]

I should have looked closer. Thanks for checking @potiuk