ENG-3021: Bump pyasn1 to ~=0.6.3

[erosselli]

Ticket ENG-3021

Description Of Changes

Adds an explicit pyasn1~=0.6.3 pin to address CVE-2026-30922 (unbounded recursion DoS in ASN.1 decoding). pyasn1 is a transitive dependency via google-auth and rsa — not imported directly by fides or fidesplus.

Code Changes

• Added pyasn1~=0.6.3 pin in pyproject.toml
• Regenerated uv.lock

Steps to Confirm

1. CI passes — no direct pyasn1 imports in fides or fidesplus

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • No UX review needed
• Followup issues:
  • No followup issues
• Database migrations:
  • No migrations
• Documentation:
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Mar 23, 2026 2:32pm
fides-privacy-center	Ignored		Mar 23, 2026 2:32pm

[greptile-apps]

Greptile Summary

This PR adds an explicit pyasn1>=0.6.3,<0.7.0 pin to pyproject.toml and regenerates uv.lock to remediate CVE-2026-30922 (unbounded recursion DoS in ASN.1 decoding). Since pyasn1 is a transitive dependency (via google-auth / rsa) without any direct imports in the codebase, this is the correct minimal approach to enforce the safe version floor.

• pyproject.toml: constraint >=0.6.3,<0.7.0 added in alphabetical order alongside neighbouring pins; no conflicts with rsa~=4.9.1 which requires pyasn1>=0.4.8,!=0.5.0.
• uv.lock: pyasn1 correctly resolved to 0.6.3 with refreshed sdist and wheel hashes.
• changelog/7726-bump-pyasn1.yaml: security changelog entry references the CVE and PR correctly.
• Note: the <0.7.0 upper bound means any future security fixes landing in a 0.7.x release would require a manual re-pin, but this is intentional to avoid unvetted breaking changes for a transitive dependency.

Confidence Score: 5/5

• This PR is safe to merge — it is a targeted, low-risk security patch with no behaviour changes.
• Change is limited to a single dependency version floor bump addressing a known CVE. The lock file is correctly regenerated, hashes are present, and there are no direct imports of pyasn1 in the codebase to break. No logic, API, or schema changes are involved.
• No files require special attention.

Important Files Changed

Filename	Overview
pyproject.toml	Adds explicit pyasn1>=0.6.3,<0.7.0 pin to remediate CVE-2026-30922; constraint is well-formed and consistent with surrounding dependency style.
uv.lock	Lock file correctly regenerated: pyasn1 bumped from 0.6.2 → 0.6.3 with updated sdist/wheel hashes and the new direct dependency entry added.
changelog/7726-bump-pyasn1.yaml	Changelog entry present with correct type, description, and PR number.

_{Reviews (1): Last reviewed commit: "Add changelog for PR #7726" | Re-trigger Greptile}

[claude]

Code Review: ENG-3021 — Bump pyasn1 to >=0.6.3

Clean, minimal security bump. No logic changes, no new code paths, no migration impact.

Summary

• Correctly adds an explicit pyasn1 floor pin in pyproject.toml to prevent the CVE-affected 0.6.2 from being resolved as a transitive dep via google-auth/rsa.
• uv.lock is properly regenerated to 0.6.3.
• Changelog entry is present.

Findings

Two minor nits (no blockers):

1. Version specifier style (pyproject.toml line 130) — >=0.6.3,<0.7.0 is functionally correct but differs from the ~= style used by adjacent pins. Consider ~=0.6.3 for consistency.
2. Changelog wording — "Bumped pyasn1 to 0.6.3" doesn't capture that the pin is a range (>=0.6.3,<0.7.0). A small clarification would be more precise.

Otherwise LGTM — the fix is appropriately scoped and the lock file reflects the intended resolution.