deps: update PyNaCl 1.5.0 → 1.6.2 (CVE-2025-69277)

[Copilot]

PyNaCl 1.5.0 contains CVE-2025-69277 in libsodium. Updated to 1.6.2 which includes libsodium 1.0.20-stable with the fix.

Changes

• tools/base/requirements.txt: PyNaCl 1.5.0 → 1.6.2
  • Reduced from 10 hashes to 3 (glibc 2.28 only, no 2.34)
  • Included: macOS universal2, Linux x86_64/aarch64 with glibc 2.28
  • Excluded: glibc 2.34, Windows, musllinux wheels
  • All wheels: cp38-abi3 (Python 3.8+)

PyNaCl is a transitive dependency via pygithub. Hash reduction follows the existing pattern used for cryptography (see requirements.in comment about glibc version constraints).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• dl.google.com
  • Triggering command: /build/bazel_root/install/fb2a7f6d344d2f4e335882534df59296/embedded_tools/jdk/bin/java bazel(envoy) --add-opens=java.base/java.lang=ALL-UNNAMED -Xverify:none -Djava.util.logging.config.file=/build/bazel_root/base/javalog.properties -Dcom.google.devtools.build.lib.util.LogHandlerQuerier.class=com.google.devtools.build.lib.util.SimpleLogHandler$HandlerQuerier -XX:-MaxFDLimit -Djava.library.path=/build/bazel_root/install/fb2a7f6d344d2f4e335882534df59296/embedded_tools/jdk/lib:/build/bazel_root/install/fb2a7f6d344d2f4e335882534df59296/embedded_tools/jdk/lib/server:/build/bazel_root/install/fb2a7f6d344d2f4e335882534df59296/ -Dfile.encoding=ISO-8859-1 -Duser.country= -Duser.language= -Duser.variant= -Xmx3g -DBAZEL_TRACK_SOURCE_DIRECTORIES=1 -Djavax.net.ssl.trustStore=/tmp/custom-cacerts -Djavax.net.ssl.trustStorePassword=changeit -jar /build/bazel_root/install/fb2a7f6d344d2f4e335882534df59296/A-server.jar --max_idle_secs=10800 --noshutdown_on_low_sys_mem --connect_timeout_secs=30 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

we have a transitive py dep on pynacl which is flagging a vuln

not sure what is pulling that in but i seem to rem there being version conflicts historically with this dep when a previous vuln was flagged

if the dep that pulls it in is cryptography it needs special handling - specifically it needs to only include the hashes for the correct glibc versions - see previous updates for what needs to be updated

either way - lets adddress the pynacl vuln

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[repokitteh-read-only]

As a reminder, PRs marked as draft will not be automatically assigned reviewers,
or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

🐱

Caused by: #42926 was opened by Copilot.

see: more, trace.

[repokitteh-read-only]

CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to (bazel/.*repos.*\.bzl)|(bazel/dependency_imports\.bzl)|(api/bazel/.*\.bzl)|(.*/requirements\.txt)|(.*\.patch).
envoyproxy/dependency-shepherds assignee is @phlax

🐱

Caused by: #42926 was synchronize by Copilot.

see: more, trace.