Dependabot alert #1 (HIGH): cryptography < 48.0.1 ships a vulnerable OpenSSL in its wheels. Pinned at 48.0.0 in .github/scripts/sign-requirements.txt, the hash-pinned input the release-signing job installs with pip install --require-hashes (release.yml two jobs → sign.py, Ed25519).
CI-only, signing-job scope (trusted inputs), so real exposure is low — but it is a HIGH advisory and a trivial, hash-clean bump. Fixed in 48.0.1.
Regenerate the cryptography hash block via uv pip compile --generate-hashes; cffi/pycparser are unchanged.
Dependabot alert #1 (HIGH):
cryptography< 48.0.1 ships a vulnerable OpenSSL in its wheels. Pinned at48.0.0in.github/scripts/sign-requirements.txt, the hash-pinned input the release-signing job installs withpip install --require-hashes(release.ymltwo jobs →sign.py, Ed25519).CI-only, signing-job scope (trusted inputs), so real exposure is low — but it is a HIGH advisory and a trivial, hash-clean bump. Fixed in 48.0.1.
Regenerate the cryptography hash block via
uv pip compile --generate-hashes;cffi/pycparserare unchanged.