poetry: unlock cryptography versions to prevent conflicts with other packages

[markjm]

Summary

Currently, cryptography is pinned to cryptography = "^38.0.4". In poetry, this expands to >=38.04,<39.

This worked well for old cryptography package versions since they always looked like 3.X.Y, but starting in 35.* versioning changed.

See https://cryptography.io/en/latest/api-stability/#versioning for specifics - essentially a major version change does not indicate breaking changes necessarily.

In short, code that runs without warnings will always continue to work for a period of two major releases.

From time to time, we may decide to deprecate an API that is particularly widely used. In these cases, we may decide to provide an extended deprecation period, at our discretion.

Testing

Running tests on latest cryptography right now (40), all tests pass

Additionally, a random sampling of 3p dependencies used in a random internal project seems to indicate that this is standard practice

Note - I have signed the CLA on behalf of my company, tied to my github username @markjm

[markjm]

Hi @adorton-adobe - thanks for maintaining the project. I have created a small PR which i think demonstrates a problem and fixes it. Please let me know if there is anything else youd like from me for validation or process!