[WIP] Update cryptography package to version >=46.0.6

[Copilot]

• Add cryptography>=46.0.6 constraint to actions/gcp/setup/requirements.in
• Regenerate actions/gcp/setup/requirements.txt with pip-compile --allow-unsafe --generate-hashes requirements.in
• Verify cryptography>=46.0.6 appears in the regenerated lockfile

Original prompt

Problem

Dependabot alert #345 (https://github.com/envoyproxy/toolshed/security/dependabot/345) flags cryptography version 43.0.3 as vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves (severity: High 8.2/10). The patched version is >=46.0.5.

Dependabot cannot auto-resolve this because the actions/gcp/setup/requirements.txt is a pip-compile-generated lockfile with pinned hashes (--generate-hashes). Dependabot can't run pip-compile to regenerate it.

Fix Required

1. Check actions/gcp/setup/requirements.in — if cryptography is pinned or constrained there, update it to allow >=46.0.6.
2. Regenerate actions/gcp/setup/requirements.txt by running pip-compile --allow-unsafe --generate-hashes requirements.in (or whatever pip-compile command is used in this project — check for a Makefile, script, or comments at the top of the generated requirements.txt for the exact command).
3. Ensure the resulting requirements.txt has cryptography>=46.0.6 (or the latest secure version) with correct hashes.

The key file is actions/gcp/setup/requirements.txt (line 336 currently has cryptography==43.0.3). The source input file is likely actions/gcp/setup/requirements.in.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: not sure why dependabot isnt resolving this - but it needs to be fixed

Assistant: Unfortunately, I'm unable to directly access the Dependabot security alert #345 at https://github.com/envoyproxy/toolshed/security/dependabot/345 — Dependabot security alerts are not publicly accessible via API and require repository collaborator/admin access to view details.

However, I can see that Dependabot is actively creating PRs in the repo. Here are the current open Dependabot PRs that may be related to the alert you're looking at:

data:
- url: "https://github.com/envoyproxy/toolshed/pull/3942"
  repository: "envoyproxy/toolshed"
  state: "open"
  draft: false
  title: "build(deps): bump the dependencies group across 9 directories with 2 updates"
  number: 3942
  created_at: "2026-04-01T00:00:00Z"
  closed_at: ""
  merged_at: ""
  labels:
  - "dependencies"
  - "javascript"
  author: "dependabot[bot]"
  comments: 1
  assignees_avatar_urls: []
- url: "https://github.com/envoyproxy/toolshed/pull/3941"
  repository: "envoyproxy/toolshed"
  state: "open"
  draft: false
  title: "build(deps): bump the dependencies group across 44 directories with 1 update"
  number: 3941
  created_at: "2026-04-01T00:00:00Z"
  closed_at: ""
  merged_at: ""
  labels:
  - "dependencies"
  - "github_actions"
  author: "dependabot[bot]"
  comments: 1
  assignees_avatar_urls: []

Why Dependabot might not be auto-resolving alert #345:

There are several common reasons a Dependabot alert stays open even when PRs exist:

1. The vulnerable dependency is a transitive/indirect dependency — Dependabot can only update direct dependencies. If the vulnerability is in a transitive dep, it can't create a PR to fix it directly.

2. Version constraints prevent the update — If package.json (or equivalent) pins a range that doesn't include the fixed version, Dependabot may be unable to generate a compatible update.

3. The alert is for a different ecosystem than what Dependabot version updates are configured for (e.g., the alert might be for a pip/cargo/npm lockfile dep not covered by the dependabot.yml grouping).

4. Dependabot's open PR limit has been reached — By default, Dependabot limits itself to 5 open security PRs. With multiple large grouped PRs already open, it may be queued.

To fix this manually, you'd need to:

• Go to the Dependabot alert #345 to see which package/version is affected
• Check if any of the open PRs above already address it (the TypeScript 5.9.3 → 6.0.2 updates in PRs build(deps): bump the dependencies group across 9 directories with 2 updates #3942 and chore(deps): update dependency typescript to v6 #3887 are the most prominent updates right now)
• If it's a transitive dependency, you may need to manually update the lockfile or override the dependency

Would you like me to create a PR to fix a specific vulnerable dependency, or would you like me to investigate the repo's dependabot.yml configuration to understand why certain alerts might not be getting resolved?

User: yeah fix it

Assistant:

Let me first look at the Dependabot alert details and the repo's dependency configuration to understand what needs to be fixed.

Assistant: I can't directly access Dependabot security alert details through the API. Let me look at the open Dependabot PRs and recent security-related activity to understand what alert #345 might be about.

Assistant: I can't directly access the Dependabot alert details through the API, so let me look at the security-related files and recent vulnerability patterns in the repo to understand what alert #345 might be about.

Assistant: I can see the repository structure now. Since I ...

This pull request was created from Copilot chat.

[netlify]

✅ Deploy Preview for nifty-bassi-e26446 ready!

Name	Link
🔨 Latest commit	e652765
🔍 Latest deploy log	https://app.netlify.com/projects/nifty-bassi-e26446/deploys/69cd8059ee5388000812ce03
😎 Deploy Preview	https://deploy-preview-3945--nifty-bassi-e26446.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.