Fix Dependabot security alerts: cryptography, Pygments, keccak, atty

[Copilot]

Resolves 4 open Dependabot alerts across Python and Rust dependency trees by bumping to patched versions.

Python (requirements.txt, pyproject.toml)

• cryptography >=43.0.0 → >=44.0.1
  • GHSA-79v4-65xg-pq4m: buffer overflow with non-contiguous buffers
  • GHSA-h4gh-qq45-vh27: incomplete DNS name constraint enforcement
• Pygments >=2.15.1 added as explicit constraint (was unconstrained transitive dep)
  • GHSA-mrwq-x4v8-fh7p: ReDoS

Rust (rust/, pqc_rust_src/)

• sha3 0.10 → 0.11 in both Cargo.toml files — sha3 0.11 pulls keccak 0.2.0 (was 0.1.5/0.1.6)
  • GHSA-45vq-q6x3-4hf2: unsoundness in opt-in ARMv8 assembly backend (fixed in keccak ≥0.1.7/0.2.0)
• cbindgen 0.24 → 0.29 in rust/Cargo.toml — cbindgen 0.26+ uses clap 4.x, which drops the atty dependency entirely
  • GHSA-g98v-hv3f-hcfr: potential unaligned read in atty (no patched atty release exists; removing the dep is the correct fix)

Both Cargo.lock files regenerated — atty 0.2.14 is fully absent from both dependency graphs.

Original prompt

Fix all Dependabot security alerts in the repository Johnsonajibi/DeviceFingerprinting.

Context:

• The user provided the Dependabot alerts page (see screenshot) indicating 6 open alerts and 2 closed.
• Alerts shown include Python cryptography issues (buffer overflow with non-contiguous buffers; incomplete DNS name constraint enforcement), Pygments ReDoS, and Rust crate issues (keccak unsoundness in opt-in ARMv8 assembly backend, atty potential unaligned read) found in rust/Cargo.lock and rust-pqc_rust_src/Cargo.lock.

Requirements:

1. Update dependencies to patched versions to resolve each open Dependabot alert.
   • For Python: update requirements.txt (and any pinned versions) to versions that remediate cryptography and Pygments advisories.
   • For Rust: update affected crates by running/carrying out cargo update and/or adjusting Cargo.toml constraints so that Cargo.lock resolves to fixed versions, for both rust/Cargo.lock and rust-pqc_rust_src/Cargo.lock.
2. Ensure the project builds/tests still pass after updates.
   • Run Python dependency install / minimal sanity checks (e.g., import checks or unit tests if present).
   • Run Rust cargo build and cargo test for each Rust workspace/package directory present (rust and rust-pqc_rust_src).
3. If any advisory cannot be fully resolved via simple updates (e.g., transitive dependency constraints), apply the smallest safe change:
   • Adjust version constraints.
   • Use [patch] or dependency overrides only if necessary, and document why.
4. Do not introduce breaking changes unless unavoidable; if unavoidable, document the rationale in the PR description.

Deliverables:

• A pull request that updates the relevant dependency files (requirements.txt, Cargo.toml if needed, and lockfiles) to fix the vulnerabilities.
• PR description should list each Dependabot alert that is fixed and the exact version bumps.

Images:

• 

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: fix the security vulnerabilities

Assistant: I’m ready to start fixing the Dependabot security vulnerabilities, but I need you to approve the pending action in the dialog so I can access the repository and apply the dependency updates.

This pull request was created from Copilot chat.

[Copilot]

Pull request overview

Resolves multiple Dependabot security alerts by updating Python and Rust dependencies to patched versions and regenerating Rust lockfiles.

Changes:

• Python: bump cryptography minimum version and add an explicit Pygments minimum version constraint.
• Rust: bump sha3 and cbindgen, regenerating both Cargo.lock files to remove atty and pull patched keccak.

Reviewed changes

Copilot reviewed 3 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
requirements.txt	Bumps cryptography and adds a direct Pygments constraint.
pyproject.toml	Bumps cryptography minimum version in package metadata.
rust/Cargo.toml	Bumps sha3 and cbindgen to versions intended to address advisories.
rust/Cargo.lock	Regenerated lockfile reflecting updated dependency graph (incl. patched keccak, removed atty).
pqc_rust_src/Cargo.toml	Bumps sha3 to align with patched keccak.
pqc_rust_src/Cargo.lock	Regenerated lockfile reflecting updated dependency graph (incl. patched keccak, removed atty).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pygments>=2.15.1 was added to requirements.txt, but the PR description indicates adding an explicit constraint for the Python dependency tree (including pyproject.toml). If users install via the package metadata ([project].dependencies / extras), this file still leaves Pygments unconstrained; consider adding the same minimum version to pyproject.toml (likely under the appropriate extra such as docs if it’s only pulled by Sphinx), so the Dependabot alert is actually resolved for that resolver path too.