chore(integration): bump cryptography to 46.0.6

[EhteshamSid]

A few dependencies in the requirements file have CVEs fixed in newer versions:

• cryptography 46.0.5 -> 46.0.6 (CVE-2026-34073)
• requests 2.32.5 -> 2.33.0 (CVE-2026-25645)

Bumped each one to the minimum safe version.

There's a mutable default argument in samcli/lib/sync/infra_sync_executor.py. The default value is shared across all calls that don't pass that argument, so mutations in one call silently affect the next. Changed the default to None with an if arg is None guard inside the function.

Changed files: samcli/lib/sync/infra_sync_executor.py, samcli/local/lambdafn/remote_files.py, tests/integration/durable_integ_base.py, tests/integration/local/start_api/test_start_api.py, tests/integration/logs/test_logs_command.py and 8 more

Accidental approval

[reedham-aws]

Changes look good, are there any more places that would require an update to the cryptography version? I'm not understanding why it's just tests/integration/testdata/buildcmd/asset.b998895901bf33127f2c9dce715854f8b35aa73fb7eb5245ba9721580bbe5837/requirements.txt.

Another example of a place with an old version is here:

aws-sam-cli/tests/integration/testdata/buildcmd/Python/requirements.txt

Line 7 in aaad3ea

cryptography==3.3.2

[EhteshamSid]

Thanks for the review! To answer your question about the other files:

The cryptography==3.3.2 pins in tests/integration/testdata/buildcmd/ (PyLayer, Python, PythonImage, etc.) are intentional test fixtures - they simulate a sample user Lambda function with a specific pinned dependency to test SAM CLI's build pipeline behavior. Bumping those would change what the tests are validating rather than fix a real exposure.

The requirements/reproducible-linux.txt, reproducible-mac.txt, and reproducible-win.txt files (SAM CLI's own dependency lockfiles) are already at 46.0.6 - that was handled upstream before this PR.

The asset.b998895.../requirements.txt file was the outlier - it's a CDK-generated integration test asset that actually gets installed during the test run, so it represented a genuine vulnerable dependency being pulled in. That's the one we updated.

Let me know if you'd like any of the other fixture files updated as well - happy to do so if that's preferred.

[reedham-aws]

I don't think the 3.3.2 version is necessarily intentional, just a long time since it was updated 😅. I also don't see the difference between the CDK generated requirements file and the one that I linked before, both should get installed in the buildcmd tests via sam build. I think it might just be easier to update all instances.

Also I'd like to note that there are some linting errors in the CI. You can test those locally by running make pr.

[EhteshamSid]

Fair point - updated all the remaining 3.3.2 pins in the buildcmd test fixtures too. Also fixed the linting issues (unused imports + import ordering in durable_integ_base.py and regression_deploy_base.py).