Summary
atproto pins cryptography<47,>=41.0.7 on all current releases (verified through 0.0.68). The OpenSSL bundled in the cryptography wheels was patched for the 2026-06-09 OpenSSL advisory (GHSA-537c-gmf6-5ccf, HIGH) only in cryptography 48.0.1, and there is no patched release below 48. The <47 upper bound therefore makes it impossible for downstream projects to adopt the security fix:
$ pip install atproto==0.0.68 cryptography==48.0.1
ERROR: ResolutionImpossible
Request
Relax the upper bound to allow cryptography>=48 (or drop the cap), assuming no real API incompatibility. cryptography keeps a stable API across majors, and the 46→48 range doesn't appear to change the EC / serialization / hazmat surfaces the SDK uses — but you'd know best whether the cap pins around a specific incompatibility or is precautionary.
Context
Happy to test a candidate build or open a PR bumping the bound if that's useful.
Summary
atprotopinscryptography<47,>=41.0.7on all current releases (verified through0.0.68). The OpenSSL bundled in thecryptographywheels was patched for the 2026-06-09 OpenSSL advisory (GHSA-537c-gmf6-5ccf, HIGH) only in cryptography 48.0.1, and there is no patched release below 48. The<47upper bound therefore makes it impossible for downstream projects to adopt the security fix:Request
Relax the upper bound to allow
cryptography>=48(or drop the cap), assuming no real API incompatibility. cryptography keeps a stable API across majors, and the 46→48 range doesn't appear to change the EC / serialization /hazmatsurfaces the SDK uses — but you'd know best whether the cap pins around a specific incompatibility or is precautionary.Context
cryptography:48.0.1cryptographydependency version constraints #542.Happy to test a candidate build or open a PR bumping the bound if that's useful.