Bump Jinja2, pg8000, urllib3, cryptography, cffi, snowflake-connector-python, snowflake-sqlalchemy, and PyNaCl

[daveqnet]

Description Of Changes

Bumps several PyPI dependencies to their latest compatible versions.

Closes the following ENG Jira tickets in the fides repo (follow-on work may be required in fidesplus).

• ENG-2687
• ENG-2689
• ENG-2690
• ENG-2746
• ENG-2747

Direct bumps (in pyproject.toml)

Package	Old	New
Jinja2	3.1.5	3.1.6
pg8000	1.31.2	1.31.5
urllib3	~=2.5.0	~=2.6.3
cryptography	~=45.0.7	~=46.0.5

Cascade bumps (required by cryptography 46.0.5)

Package	Old	New	Why
cffi	~=1.17.1	~=2.0.0	cryptography 46 requires cffi>=2.0.0
snowflake-connector-python	~=3.18.0	~=4.3.0	snowflake-connector 3.18 required cffi<2.0.0
snowflake-sqlalchemy	~=1.7.7	~=1.8.2	snowflake-sqlalchemy 1.7 required snowflake-connector<4.0.0

Transitive bump (via uv lock --upgrade-package)

Package	Old	New
PyNaCl	1.5.0	1.6.2

Breaking Changes Analysis

All major/minor bumps were reviewed for breaking changes. None impact fides:

• cffi 1→2: _Bool return type and ffi.buffer type changes — fides has zero direct cffi imports; it's transitive only via cryptography.
• cryptography 45→46: SSH key loading exceptions changed; EC verify() no longer returns True — fides doesn't use those APIs. The deprecated default_backend() calls in aes_gcm_encryption_util.py and snowflake_connector.py are still silently accepted.
  • Note also that this integration/connector is deprecated
• snowflake-connector-python 3→4: DictCursor hierarchy, cursor return types, and execute() params changed — fides uses Snowflake exclusively through SQLAlchemy, never the raw connector cursor APIs.
• snowflake-sqlalchemy 1.7→1.8: div_is_floordiv default flipped to False — fides constructs all Snowflake queries as raw SQL text, not SQLAlchemy expression arithmetic.
• urllib3 2.5→2.6: Several deprecated APIs removed — fides only uses Retry with non-deprecated params.
• PyNaCl 1.5→1.6: Python 3.6/3.7 dropped — fides has no direct PyNaCl imports; transitive via paramiko.

Code Changes

• Bumped 4 direct dependencies in pyproject.toml (Jinja2, pg8000, urllib3, cryptography)
• Bumped 3 cascade dependencies in pyproject.toml (cffi, snowflake-connector-python, snowflake-sqlalchemy)
• Updated uv.lock with all resolved versions including transitive PyNaCl bump

Steps to Confirm

1. CI integration tests pass for Snowflake, Postgres (pg8000), and other integrations

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • No migrations
• Documentation:
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ready	Preview, Comment	Feb 24, 2026 8:31am

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
fides-privacy-center	Ignored		Feb 24, 2026 8:31am

[greptile-apps]

Greptile Summary

This PR bumps 7 PyPI dependencies to their latest compatible versions to address multiple security and compatibility issues:

Direct bumps:

• Jinja2: 3.1.5 → 3.1.6 (patch)
• pg8000: 1.31.2 → 1.31.5 (patch)
• urllib3: ~=2.5.0 → ~=2.6.3 (minor)
• cryptography: ~=45.0.7 → ~=46.0.5 (major)

Cascade bumps (required by cryptography 46):

• cffi: ~=1.17.1 → ~=2.0.0 (major)
• snowflake-connector-python: ~=3.18.0 → ~=4.3.0 (major)
• snowflake-sqlalchemy: ~=1.7.7 → ~=1.8.2 (minor)

Transitive bump:

• PyNaCl: 1.5.0 → 1.6.2

Breaking changes verification:

• Verified that deprecated default_backend() calls in aes_gcm_encryption_util.py and snowflake_connector.py are still silently accepted in cryptography 46
• Confirmed fides uses Snowflake exclusively through SQLAlchemy (not raw connector APIs), avoiding DictCursor and cursor API breaking changes
• Confirmed Snowflake queries constructed as raw SQL text (not SQLAlchemy expression arithmetic), unaffected by div_is_floordiv default change
• Verified urllib3 Retry usage in okta_http_client.py only uses non-deprecated parameters
• No direct usage of PyNaCl, SSH key loading, or EC verify APIs found

Confidence Score: 5/5

• Safe to merge - well-researched dependency updates with verified compatibility
• All major version bumps thoroughly analyzed for breaking changes. None of the breaking changes affect fides: deprecated default_backend() still works, no usage of changed Snowflake cursor APIs or SQLAlchemy division operators, and urllib3 Retry parameters are all non-deprecated. Changes are purely dependency updates with comprehensive changelog documentation.
• No files require special attention

Important Files Changed

Filename	Overview
changelog/pypi-package-version-bumps.yaml	Added changelog entry documenting all package version bumps
pyproject.toml	Updated 7 direct dependency versions: Jinja2, pg8000, urllib3, cryptography, cffi, snowflake-connector-python, snowflake-sqlalchemy
uv.lock	Lock file updated with resolved versions including transitive PyNaCl bump

_{Last reviewed commit: bf3e47f}

[greptile-apps]

_{3 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[erosselli]

Approved! Can you add code comments in the places where we call default_backend informing that it is deprecated ?