cryptography is a transitive dependency of many tools, as it's direct dependency of poetry, moto, etc. Unfortunately cryptography versions >= 42.0.0, < 44.0.1 are vulnerable to CVE-2024-12797.
Python version restrictions introduced at #12045 now require to make cryptography an explicit dependency and basically match the cryptography's python version specification (ex. here), in order to use newer cryptography versions that are not affected by the vulnerability (44.0.1+).
This makes version specification unnecessarily complex in tools with wide Python version requirements. Feels like prohibiting python versions is a nuclear option. Is there any other way to consume non-vulnerable versions of cryptography that I might have missed?
cryptographyis a transitive dependency of many tools, as it's direct dependency of poetry, moto, etc. Unfortunately cryptography versions>= 42.0.0, < 44.0.1are vulnerable to CVE-2024-12797.Python version restrictions introduced at #12045 now require to make cryptography an explicit dependency and basically match the cryptography's python version specification (ex. here), in order to use newer cryptography versions that are not affected by the vulnerability (
44.0.1+).This makes version specification unnecessarily complex in tools with wide Python version requirements. Feels like prohibiting python versions is a nuclear option. Is there any other way to consume non-vulnerable versions of cryptography that I might have missed?