fix(deps): bump cryptography to 48.0.1 (Dependabot #6)

[jaylfc]

What

Bumps cryptography 46.0.7 -> 48.0.1 to clear Dependabot alert #6 (high: vulnerable OpenSSL bundled in cryptography wheels, < 48.0.1). Lock-only.

Why it needed a litellm bump

litellm 1.89.3 hard-caps cryptography>=46.0.7,<47.0, which is what held the lock at 46.0.7. litellm 1.89.4 raises the cap to >=48.0.1,<49.0, so this bumps litellm one patch (1.89.3 -> 1.89.4, + litellm-enterprise post-release) and lets cryptography move to 48.0.1.

Scope

uv.lock only (43 lines). No pyproject/source changes. Resolves to cryptography 48.0.1 within litellm's new cap.

Verify

CI installs from the lock and runs test 3.12/3.13. Will not merge until green.

[qodo-code-review]

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 98d04d78-ebd6-40e5-b5b7-a37c68227f23

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cryptography-cve-48

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[gitar-bot]

Note

Your trial team has used its Gitar budget, so automatic reviews are paused. Upgrade now to unlock full capacity. Comment "Gitar review" to trigger a review manually.
Learn more about usage limits

Code Review ✅ Approved

Bumps the cryptography dependency to 48.0.1 by updating the litellm constraint in the lockfile to resolve a high-severity OpenSSL vulnerability. No issues found.

Options

Display: compact → Showing less information.

Comment with these commands to change:

Compact

gitar display:verbose

---

Important

Your trial ends in 2 days — upgrade now to keep code review, CI analysis, auto-apply, custom automations, and more.

_{Was this helpful? React with 👍 / 👎 | Gitar}

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

The PR modifies a single generated file, uv.lock (43-line lock-only bump of cryptography 46.0.7 → 48.0.1, with the accompanying litellm 1.89.3 → 1.89.4 and litellm-enterprise 0.1.42 → 0.1.42.post2 lockfile updates required to clear the new cryptography cap). No source code, pyproject, or migration files are touched, so there is no application logic in scope to review. URLs and sha256 hashes visible in the diff match the canonical PyPI registry artifacts for the new versions, and the version transitions are consistent with the PR description.

Files Reviewed (1 file)

• uv.lock (generated lock file — out of review scope)

---

_{Reviewed by minimax-m3 · Input: 83.7K · Output: 1.2K · Cached: 65.1K}