From 5698ac08fa00e93bb551164c30e50b638c3e1e1c Mon Sep 17 00:00:00 2001
From: Ben Lewis <hello@blewis.me>
Date: Sun, 23 Nov 2025 21:56:45 +0200
Subject: [PATCH 1/2] Fix vulnerability in `cryptography`

Signed-off-by: Ben Lewis <hello@blewis.me>
---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index 34e636b7..053c1eb6 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -27,7 +27,7 @@ dependencies = [
     "typer>=0.12.3",
     "rich>=13.7.1",
     "jinja2>=3.1.4",
-    "cryptography < 43.0.0",
+    "cryptography >= 44.0.1",
     "networkx >= 3.3",
     "omegaconf>=2.3.0",
     "leptonai>=0.25.0",

From 655cf309fec0eb7bf6a2fe8533a4aea2f2576590 Mon Sep 17 00:00:00 2001
From: Ben Lewis <hello@blewis.me>
Date: Mon, 8 Dec 2025 00:03:23 +0200
Subject: [PATCH 2/2] Drop version restriction

This way users of the package can choose their own `cryptography` version. This should be safe since users that aren't installing `skypilot` can just install more recent versions and users of `skypilot` can add their own restriction to `cryptography`, but AFAIK, the built-in restriction to `pyopenssl` on `skypilot` should prevent any issues (I actually believe that that restriction itself is no longer relevant, [see here](https://github.com/skypilot-org/skypilot/pull/8070) )

Signed-off-by: Ben Lewis <hello@blewis.me>
---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index 053c1eb6..058b4fe4 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -27,7 +27,7 @@ dependencies = [
     "typer>=0.12.3",
     "rich>=13.7.1",
     "jinja2>=3.1.4",
-    "cryptography >= 44.0.1",
+    "cryptography",
     "networkx >= 3.3",
     "omegaconf>=2.3.0",
     "leptonai>=0.25.0",