deps(security): cryptography >= 46.0.7 (GHSA-p423-j2cm-9vmq) (#227)

Closes the single open Dependabot advisory on GeoSync main:

  GHSA-p423-j2cm-9vmq — Cryptography buffer-overflow with
  non-contiguous buffers (moderate). Vulnerable range
  ``>= 45.0.0, < 46.0.7``; current pin 46.0.6; fix 46.0.7+.

Bumps the floor in the three source-of-truth manifests
(``pyproject.toml``, ``requirements.txt``, ``requirements-scan.txt``)
and the generated ``sbom/combined-requirements.txt`` together so the
SBOM stays consistent with the lockfiles.

Minor point-release of a widely-deployed library — no API change
on the code paths we use (cipher/hash/x509 primitives).

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: neuron7xLab

pyproject.toml

@@ -67,7 +67,7 @@ dependencies = [
     "streamlit-authenticator>=0.3.1",
     # Security: security-critical transitive dependencies pinned via constraints/security.txt
     "PyJWT[crypto]>=2.12.0",
-    "cryptography>=46.0.6",
+    "cryptography>=46.0.7",
     "requests>=2.33.0",
 ]
 

requirements-scan.txt

@@ -54,5 +54,5 @@ streamlit-authenticator>=0.3.1
 
 # Security: security-critical transitive dependencies are pinned via constraints/security.txt
 PyJWT[crypto]>=2.12.0
-cryptography>=46.0.6
+cryptography>=46.0.7
 requests>=2.32.5

requirements.txt

@@ -51,5 +51,5 @@ streamlit-authenticator>=0.3.1
 
 # Security: security-critical transitive dependencies are pinned via constraints/security.txt
 PyJWT[crypto]>=2.12.0
-cryptography>=46.0.6
+cryptography>=46.0.7
 requests>=2.32.5

sbom/combined-requirements.txt

@@ -28,7 +28,7 @@ cffi==2.0.0
 charset-normalizer==3.4.4
 click==8.3.0
 colorlog==6.10.1
-cryptography==46.0.6
+cryptography==46.0.7
 deap==1.4.3
 exchange-calendars==4.11.1
 extra-streamlit-components==0.1.81