Can't update cryptography to resolve dependabot alert

[ngfeldman]

Checklist

• I have looked into the Readme and Examples, and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

We have a dependabot alert about the python cryptography library in our application due to CVE-2024-6119 in OpenSSL. The cryptography library must be updated to version 43.0.1 to be able to resolve the issue, but auth0-python restricts the cryptography version to ~=42.0.4 (^42.0.4 in poetry syntax).

This sort of vulnerability crops up all the time in cryptography, requiring cryptography to be updated. It seems like there is little benefit to enforcing an upper-bound on the version of cryptography (or any dependency in general, really), whereas the cost is that any time a CVE is created impacting the cryptography package, we might have to wait for an update to auth0-python before we can resolve the security alerts on our end.

Reproduction

$ python3 -m venv venv
$ venv/bin/pip install 'auth0-python>=4.5' 'cryptography>=43.0.1'
Looking in indexes: https://artifactory.local.23andme.net/artifactory/api/pypi/pypi/simple
Collecting auth0-python>=4.5
  Using cached https://artifactory.local.23andme.net/artifactory/api/pypi/pypi/packages/packages/94/41/6a371c2bfa0ada31683133465ba6d51a1e30f1398ebe61e0c8668dde0037/auth0_python-4.7.1-py3-none-any.whl (131 kB)
Collecting cryptography>=43.0.1
  Using cached https://artifactory.local.23andme.net/artifactory/api/pypi/pypi/packages/packages/8a/b6/bc54b371f02cffd35ff8dc6baba88304d7cf8e83632566b4b42e00383e03/cryptography-43.0.1-cp39-abi3-macosx_10_9_universal2.whl (6.2 MB)
Collecting aiohttp<4.0.0,>=3.8.5 (from auth0-python>=4.5)
  Using cached https://artifactory.local.23andme.net/artifactory/api/pypi/pypi/packages/packages/8f/f7/971f88b4cdcaaa4622925ba7d86de47b48ec02a9040a143514b382f78da4/aiohttp-3.10.5-cp312-cp312-macosx_11_0_arm64.whl (389 kB)
INFO: pip is looking at multiple versions of auth0-python to determine which version is compatible with other requirements. This could take a while.
Collecting auth0-python>=4.5
  Using cached https://artifactory.local.23andme.net/artifactory/api/pypi/pypi/packages/packages/88/7b/debb2820b785f14c5770d6cafe61b10c7df9029832ff2bdafe51d3f2f235/auth0_python-4.7.0-py3-none-any.whl (131 kB)
  Using cached https://artifactory.local.23andme.net/artifactory/api/pypi/pypi/packages/packages/73/1b/3f4eb3e4aa1a5a47d20df31bb16c5d46dc68c9969412f36df51d83d295ab/auth0_python-4.6.1-py3-none-any.whl (130 kB)
  Using cached https://artifactory.local.23andme.net/artifactory/api/pypi/pypi/packages/packages/b4/ba/f14c8ceede95b10828b636a4c6a3e0f0d81c5d4af7c3fa906144091093af/auth0_python-4.6.0-py3-none-any.whl (130 kB)
  Using cached https://artifactory.local.23andme.net/artifactory/api/pypi/pypi/packages/packages/50/27/6fce8da4f6db7c799279979e44fd93da0168f0d27641256702ddfbb3a62b/auth0_python-4.5.0-py3-none-any.whl (129 kB)
ERROR: Cannot install auth0-python==4.5.0, auth0-python==4.6.0, auth0-python==4.6.1, auth0-python==4.7.0, auth0-python==4.7.1 and cryptography>=43.0.1 because these package versions have conflicting dependencies.

The conflict is caused by:
    The user requested cryptography>=43.0.1
    auth0-python 4.7.1 depends on cryptography<43.0.0 and >=42.0.4
    The user requested cryptography>=43.0.1
    auth0-python 4.7.0 depends on cryptography<42.0.0 and >=41.0.5
    The user requested cryptography>=43.0.1
    auth0-python 4.6.1 depends on cryptography<42.0.0 and >=41.0.5
    The user requested cryptography>=43.0.1
    auth0-python 4.6.0 depends on cryptography<42.0.0 and >=41.0.5
    The user requested cryptography>=43.0.1
    auth0-python 4.5.0 depends on cryptography<42.0.0 and >=41.0.3

To fix this you could try to:
1. loosen the range of package versions you've specified
2. remove package versions to allow pip attempt to solve the dependency conflict

ERROR: ResolutionImpossible: for help visit https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-dependency-conflicts

[notice] A new release of pip is available: 24.0 -> 24.2
[notice] To update, run: python3.12 -m pip install --upgrade pip

Additional context

No response

auth0-python version

4.4.1 and higher

Python version

3.8 and higher

[willashford]

I can understand why there is an upper limit, but at least bumping the version to 43.0.1 will resolve this dependabot issue (as well as SOC2/ISO27001 compliance for customers that incorporate dependabot into their controls).

[jlucas91]

This is not the first time this has been an issue for auth0-python. They're very slow keeping up here.

[eshgovil]

This is an urgent security issue for us to remain SOC2 compliant!

[aorumbayev]

+1

[najork]

@duedares-rvj it looks like the latest auth0-python release on PyPI is still 4.7.1, would you bump it there as well?

[tisba]

https://pypi.org/project/auth0-python/4.7.2/ has just been pushed to pypi 🥳