Skip to content

fix(google-auth): add cryptography bound for Python 3.14#17649

Merged
parthea merged 1 commit into
mainfrom
fix-py314-cryptography-rsa-bounds
Jul 7, 2026
Merged

fix(google-auth): add cryptography bound for Python 3.14#17649
parthea merged 1 commit into
mainfrom
fix-py314-cryptography-rsa-bounds

Conversation

@ohmayr

@ohmayr ohmayr commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Summary of Changes

Added "cryptography >= 41.0.5; python_version >= '3.14'" in setup.py and cryptography==41.0.5 in testing/constraints-3.14.txt.

Rationale

In Python 3.14, the legacy setuptools / pkg_resources module was removed from the standard build environment.
Older cryptography versions (< 41.0, including google-auth's default lower bound 38.0.3) utilized pkg_resources in their build hooks. When building from source (sdist) or installing on custom runtimes (such as Alpine Linux, ARM64, or non-manylinux environments), cryptography 38.0.3 fails with a ModuleNotFoundError: No module named 'pkg_resources' build error.
PyCA (Python Cryptography Authority) removed pkg_resources and updated setuptools-rust build hooks in cryptography 41.0.5+.
Setting "cryptography >= 41.0.5; python_version >= '3.14'" ensures:

  1. Python 3.10–3.13: google-auth continues to support cryptography >= 38.0.3 (zero breaking changes for existing users).
  2. Python 3.14+: pip automatically selects cryptography >= 41.0.5 so installations and builds succeed cleanly across all platforms and architectures.

How to Reproduce

To reproduce the build failure on Python 3.14 without this fix:

  1. In a Python 3.14 environment:
    pyenv activate py314
    pip install --no-binary :all: "cryptography==38.0.3"

@ohmayr ohmayr requested review from a team as code owners July 7, 2026 18:24

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the cryptography dependency requirements in setup.py to use version 41.0.5 or higher for Python 3.14 and above, and introduces a new constraints file constraints-3.14.txt for Python 3.14 testing. Feedback on the changes highlights that setuptools is included in the new constraints file but is missing from the primary dependency specification in setup.py, which violates repository guidelines.

# Lower-bound constraints for Python 3.14 core dependencies.
# Pins cryptography==41.0.5 for CPython 3.14 C-extension compatibility.
pyasn1-modules==0.2.1
setuptools==40.3.0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

According to the repository's general rules, libraries listed in constraints files must be present in the project's primary dependency specification (e.g., setup.py). setuptools is not listed in the primary DEPENDENCIES of setup.py. Please verify if setuptools should be removed from this constraints file or if it needs to be added to the primary dependency specification.

References
  1. When reviewing dependency changes, verify that libraries listed in constraints files are present in the project's primary dependency specification (e.g., setup.py) by checking the entire file, as they may be located outside the current diff window.

@ohmayr ohmayr force-pushed the fix-py314-cryptography-rsa-bounds branch from 6ba0bfc to 1aa24a1 Compare July 7, 2026 19:07
@ohmayr ohmayr force-pushed the fix-py314-cryptography-rsa-bounds branch from 1aa24a1 to 5b3c6f5 Compare July 7, 2026 19:43
@parthea parthea merged commit e9ca4c4 into main Jul 7, 2026
30 checks passed
@parthea parthea deleted the fix-py314-cryptography-rsa-bounds branch July 7, 2026 20:28
@release-please release-please Bot mentioned this pull request Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants