Bump cryptography to 46.0.5

[marcospri]

Fixes recent security alert

---

cryptography requires cffi>=2.0.0 in python>=3.9 so bumped that as well

See:

https://github.com/pyca/cryptography/blob/main/pyproject.toml#L9

[marcospri]

Change log, same versions as: https://github.com/closeio/closeio/pull/51927#issuecomment-3984599167

copy pasting here for reference:

Copy pasting the change log update since 44.01

Highlighting here the backwards incompatible changes:

BACKWARDS INCOMPATIBLE: Support for Python 3.7 has been removed.
BACKWARDS INCOMPATIBLE: Made SSH private key loading more consistent with other private key loading: [:func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id98) now raises a TypeError if the key is unencrypted but a password is provided (previously no exception was raised), and raises a TypeError if the key is encrypted but no password is provided (previously a ValueError was raised).
BACKWARDS INCOMPATIBLE: The [:meth:`VerifiedClient.subject <cryptography.x509.verification.VerifiedClient.subjects>`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id152) property can now be None since a custom extension policy may allow certificates without a Subject Alternative Name extension.

I don't think we are affected by these.

46.0.5 - 2026-02-10
An attacker could create a malicious public key that reveals portions of your private key when using certain uncommon elliptic curves (binary curves). This version now includes additional security checks to prevent this attack. This issue only affects binary elliptic curves, which are rarely used in real-world applications. Credit to XlabAI Team of Tencent Xuanwu Lab and Atuin Automated Vulnerability Discovery Engine for reporting the issue. CVE-2026-26007
Support for SECT* binary elliptic curves is deprecated and will be removed in the next release.
46.0.4 - 2026-01-27
https://github.com/pyca/cryptography/pull/14216.
Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.
46.0.3 - 2025-10-15
Fixed compilation when using LibreSSL 4.2.0.
46.0.2 - 2025-09-30
Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.4.
46.0.1 - 2025-09-16
Fixed an issue where users installing via pip on Python 3.14 development versions would not properly install a dependency.
Fixed an issue building the free-threaded macOS 3.14 wheels.
46.0.0 - 2025-09-16
BACKWARDS INCOMPATIBLE: Support for Python 3.7 has been removed.
Support for OpenSSL < 3.0 is deprecated and will be removed in the next release.
Support for x86_64 macOS (including publishing wheels) is deprecated and will be removed in two releases. We will switch to publishing an arm64 only wheel for macOS.
Support for 32-bit Windows (including publishing wheels) is deprecated and will be removed in two releases. Users should move to a 64-bit Python installation.
Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.3.
We now build ppc64le manylinux wheels and publish them to PyPI.
We now build win_arm64 (Windows on Arm) wheels and publish them to PyPI.
Added support for free-threaded Python 3.14.
Removed the deprecated get_attribute_for_oid method on [:class:`~cryptography.x509.CertificateSigningRequest`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id79). Users should use [:meth:`~cryptography.x509.Attributes.get_attribute_for_oid`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id81) instead.
Removed the deprecated CAST5, SEED, IDEA, and Blowfish classes from the cipher module. These are still available in [:doc:`/hazmat/decrepit/index`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id83).
In X.509, when performing a PSS signature with a SHA-3 hash, it is now encoded with the official NIST SHA3 OID.
45.0.7 - 2025-09-01
Added a function to support an upcoming pyOpenSSL release.
45.0.6 - 2025-08-05
Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.2.
45.0.5 - 2025-07-02
Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.1.
45.0.4 - 2025-06-09
Fixed decrypting PKCS#8 files encrypted with SHA1-RC4. (This is not considered secure, and is supported only for backwards compatibility.)
45.0.3 - 2025-05-25
Fixed decrypting PKCS#8 files encrypted with long salts (this impacts keys encrypted by Bouncy Castle).
Fixed decrypting PKCS#8 files encrypted with DES-CBC-MD5. While wildly insecure, this remains prevalent.
45.0.2 - 2025-05-17
Fixed using mypy with cryptography on older versions of Python.
45.0.1 - 2025-05-17
Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.0.
45.0.0 - 2025-05-17 (YANKED)
Support for Python 3.7 is deprecated and will be removed in the next cryptography release.
Updated the minimum supported Rust version (MSRV) to 1.74.0, from 1.65.0.
Added support for serialization of PKCS#12 Java truststores in [:func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_java_truststore`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id92)
Added [:meth:`~cryptography.hazmat.primitives.kdf.argon2.Argon2id.derive_phc_encoded`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id94) and [:meth:`~cryptography.hazmat.primitives.kdf.argon2.Argon2id.verify_phc_encoded`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id96) methods to support password hashing in the PHC string format
Added support for PKCS7 decryption and encryption using AES-256 as the content algorithm, in addition to AES-128.
BACKWARDS INCOMPATIBLE: Made SSH private key loading more consistent with other private key loading: [:func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id98) now raises a TypeError if the key is unencrypted but a password is provided (previously no exception was raised), and raises a TypeError if the key is encrypted but no password is provided (previously a ValueError was raised).
Added __copy__ to the [:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id100), [:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id102), [:class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id104), [:class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id106), [:class:`~cryptography.hazmat.primitives.asymmetric.ed448.Ed448PublicKey`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id108), [:class:`~cryptography.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id110), [:class:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id112), [:class:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id114), [:class:`~cryptography.hazmat.primitives.asymmetric.x448.X448PublicKey`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id116), [:class:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id118), [:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id120), [:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id122), [:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id124), [:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id126), [:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id128), and [:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicKey`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id130) abstract base classes.
We significantly refactored how private key loading ( [:func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id132) and [:func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id134)) works. This is intended to be backwards compatible for all well-formed keys, therefore if you discover a key that now raises an exception, please file a bug with instructions for reproducing.
Added unsafe_skip_rsa_key_validation keyword-argument to [:func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id136).
Added [:class:`~cryptography.hazmat.primitives.hashes.XOFHash`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id138) to support repeated [:meth:`~cryptography.hazmat.primitives.hashes.XOFHash.squeeze`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id140) operations on extendable output functions.
Added [:meth:`~cryptography.x509.ocsp.OCSPResponseBuilder.add_response_by_hash`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id142) method to allow creating OCSP responses using certificate hash values rather than full certificates.
Extended the [:mod:`X.509 path validation <cryptography.x509.verification>`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id144) API to support user-configured extension policies via the [:meth:`PolicyBuilder.extension_policies <cryptography.x509.verification.PolicyBuilder.extension_policies>`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id146) method.
Deprecated the subject, verification_time and max_chain_depth properties on [:class:`~cryptography.x509.verification.ClientVerifier`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id148) and [:class:`~cryptography.x509.verification.ServerVerifier`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id150) in favor of a new policy property. These properties will be removed in the next release of cryptography.
BACKWARDS INCOMPATIBLE: The [:meth:`VerifiedClient.subject <cryptography.x509.verification.VerifiedClient.subjects>`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id152) property can now be None since a custom extension policy may allow certificates without a Subject Alternative Name extension.
Changed the behavior when the OpenSSL 3 legacy provider fails to load. Instead of raising an exception, a warning is now emitted. The CRYPTOGRAPHY_OPENSSL_NO_LEGACY environment variable can still be used to disable the legacy provider at runtime.
Added support for the CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY environment variable during build time, which prevents the library from ever attempting to load the legacy provider.
Added support for the [:class:`~cryptography.x509.PrivateKeyUsagePeriod`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id154) X.509 extension. This extension defines the period during which the private key corresponding to the certificate's public key may be used.
Added support for compiling against [aws-lc](https://github.com/aws/aws-lc).
Parsing X.509 structures now more strictly enforces that Name structures do not have malformed ASN.1.
We now publish py311 wheels that utilize the faster pyo3::buffer::PyBuffer interface, resulting in significantly improved performance for operations involving small buffers.
Added [:func:`~cryptography.hazmat.primitives.serialization.ssh_key_fingerprint`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id156) for computing fingerprints of SSH public keys.
Added support for deterministic ECDSA signing via the new keyword-only argument ecdsa_deterministic in [:meth:`~cryptography.x509.CertificateBuilder.sign`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id158), [:meth:`~cryptography.x509.CertificateRevocationListBuilder.sign`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id160) and [:meth:`~cryptography.x509.CertificateSigningRequestBuilder.sign`](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#id162).
44.0.3 - 2025-05-02
Fixed compilation when using LibreSSL 4.1.0.
44.0.2 - 2025-03-01
We now build wheels for PyPy 3.11.