Review cryptography dependency

[nijel]

I've recently "Security: Upgrade cryptography v46.0.6 -> v46.0.7 - CVE-2026-39892"
I've noticed that this project has optional dependencies but uses > v42 instead of forcing > 46.0.7

It works fine with openssl 3.4.1, havn't tested on other binaries

Should I force the project to use 46.0.7?

Originally posted by @Yemeni in #1176

[nijel]

Yes, it should be bumped. But looking at it, the extra makes little sense these days because PyJWT[crypto] is a dependency and it pulls cryptography as well. So perhaps moving it from extra to the dependencies would be a better approach.