Allow cryptography 46.x version and move it to dev dependencies.#98
Allow cryptography 46.x version and move it to dev dependencies.#98mridang merged 3 commits intozitadel:betafrom
cryptography 46.x version and move it to dev dependencies.#98Conversation
This is also part of the latest "uv-version-updates" dependabot PR but I don't know what your plans are with those. We wouldn't be able to use the client-python without this version bump so I kindly ask you to update it for the next (or one of the next) beta releases.
`cryptography` is only used in `test/auth/test_web_token_authenticator.py`
danielhav
changed the title
dev dependencies.
danielhav
changed the title
dev dependencies.cryptography 46.x version and move it to dev dependencies.
|
Would be great to get this merged. It's blocking me from updating other dependencies in my project. |
|
Any update on this ? |
|
I'm checking this now. |
There was a problem hiding this comment.
Pull request overview
This PR adjusts dependency management for the Python SDK by relocating cryptography from runtime dependencies to the dev dependency group, with the stated intent of supporting newer cryptography versions and reflecting that it’s only used in tests.
Changes:
- Remove
cryptographyfrom[project].dependencies. - Add
cryptographyto[dependency-groups].devwith the same version range (>=44.0.1,<47.0.0).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| dev = [ | ||
| "cryptography>=44.0.1,<47.0.0", | ||
| "pytest>=7.2.1", |
There was a problem hiding this comment.
The PR description/title mention a version bump to allow 46.x, but the cryptography specifier here remains >=44.0.1,<47.0.0 (just moved groups). If the goal is to relax constraints for downstreams, moving it to dev may actually remove the constraint entirely for consumers; please confirm the intended behavior and adjust the constraint location/range accordingly.
| dependencies = [ | ||
| "urllib3>=1.25.3,<3.0.0", | ||
| "python-dateutil>=2.8.2", | ||
| "pydantic>=2", | ||
| "typing-extensions>=4.7.1", | ||
| "authlib>=1.3.2,<2.0.0", | ||
| "cryptography>=44.0.1,<47.0.0", | ||
| "requests>=2.32.4,<3.0.0", | ||
| ] |
There was a problem hiding this comment.
Moving cryptography out of [project].dependencies means the published package no longer constrains the runtime cryptography version for consumers. Since authlib depends on cryptography without a version specifier (see uv.lock), installers may resolve to a newer major cryptography than the SDK has been validated against, which can break JWT signing used by WebTokenAuthenticator. Consider keeping an explicit runtime constraint in [project].dependencies, or introducing an optional extra (e.g. jwt) that includes cryptography with a bounded range, rather than relying on the transitive dependency.
mridang
added
bug
# [4.1.0-beta.9](v4.1.0-beta.8...v4.1.0-beta.9) (2026-02-27) ### Bug Fixes * allow `cryptography` 46.x version and move it to `dev` dependencies. ([#98](#98)) ([64f0e3d](64f0e3d))
cryptographydependency into thedevgroup as its only used in a test (test/auth/test_web_token_authenticator.py)Description
This is also part of the latest "uv-version-updates" dependabot PR but I don't know what your plans are with those.
We wouldn't be able to use the client-python without this version bump so I kindly ask you to update it for the next (or one of the next) beta releases.
Related Issue
#97
Motivation and Context
We wouldn't be able to use the client-python without this version bump so I kindly ask you to update it for the next (or one of the next) beta releases.
How Has This Been Tested?
Check out the project, modify pyproject.toml accordingly and run
uv run pytest.Documentation:
I don't think doc updates are needed here?
Checklist: