Bump snowflake-connector-python from 4.3.0 to 4.5.0

[dependabot]

Bumps snowflake-connector-python from 4.3.0 to 4.5.0.

Release notes

Sourced from snowflake-connector-python's releases.

4.5.0

• v4.5.0(May 12,2026)
  • Fixed write_pandas temp stage name collisions (SNOW-3481510). The old PRNG could produce identical name sequences in forked processes (e.g. Notebook kernels), causing CREATE TEMPORARY STAGE to fail with "Object already exists".
  • Fixed a security bug in Okta SAML authentication where _is_prefix_equal() compared url1's port against itself instead of url2's port, allowing an attacker to redirect credentials to a different port on the same hostname. Also fixed the default port fallback to use int instead of str for correct comparison when one URL omits the port.
  • Fixed executemany with paramstyle="pyformat" to correctly locate the VALUES clause using a balanced-parentheses parser instead of a greedy regex. This fixes incorrect behaviour with nested function calls such as SQLAlchemy @compiles VARIANT patterns (e.g. PARSE_JSON(%(col)s)) and subquery-form INSERTs (SNOW-298756).
  • Added ECDSA key support (ES256, ES384, ES512) for key-pair authentication.
  • Added HTTP 307/308 redirect status codes to the retryable set as defense-in-depth, with redirect-aware logging in both sync and async paths.
  • Consolidated keyring token cache to use a single service name with hashed account keys, reducing macOS Keychain password prompts. Legacy entries are auto-migrated on first read.
  • Added support for AWS outbound JWT token attestation for Workload Identity Federation (WIF). This can be enabled by setting the SNOWFLAKE_ENABLE_AWS_WIF_OUTBOUND_TOKEN environment variable to true. Note: This environment variable will be removed in a future release.
  • Removed dynamic class deserialization from the OCSP response validation cache to prevent arbitrary code execution via crafted cache files (SNOW-2439940). The SNOWFLAKE_ENABLE_CUSTOM_REVOCATION_ERRORS environment variable is now a no-op.
  • Updated SPCS token injection to gate on SNOWFLAKE_RUNNING_INSIDE_SPCS environment variable, trim whitespace, and remove configurable token path.
  • GCP WIF attestation now uses hostname metadata.google.internal instead of the IPv4 link-local address, so it works on IPv6-only GCP VMs.
  • Fixed a bug where write_pandas() with auto_create_table=False and overwrite=True would execute CREATE TABLE IF NOT EXISTS, which required unnecessary OWNERSHIP privilege on the table. Now only TRUNCATE TABLE is executed in this case. Note: users who relied on the table being implicitly created despite auto_create_table=False should set auto_create_table=True instead.
  • Added validation of the account connection parameter so malformed identifiers (for example path-like values or labels outside letters, digits, _, and -) are rejected with ProgrammingError before login (SNOW-1902886).
  • Added support for Azure Workload Identity Federation impersonation, allowing a managed identity to authenticate as a service principal.

4.4.0

• v4.4.0(March 24,2026)
  • Bump the lower boundary of cryptography to 46.0.5 due to CVE-2026-26007.
  • Added support for Python 3.14.
  • Removed pyOpenSSL upper bound dependency constraint to allow installation of pyOpenSSL 26.0.0+, which includes a fix for GHSA-vp96-hxj8-p424.
  • Fixed Azure IMDS Metadata header to use lowercase "true" instead of "True", which caused 400 errors during Azure Workload Identity Federation authentication.
  • Fixed default crl_download_max_size to be 20MB instead of 200MB, as the previous value was set too high and could cause out-of-memory issues.
  • Fixed a bug where Azure GET commands would incorrectly set the file status to UPLOADED instead of preserving the DOWNLOADED status during metadata retrieval.
  • Renamed the environment variable for skipping config file permission warnings from SF_SKIP_WARNING_FOR_READ_PERMISSIONS_ON_CONFIG_FILE to SF_SKIP_TOKEN_FILE_PERMISSIONS_VERIFICATION. The old variable is still supported but emits a deprecation warning.
  • Fixed unsafe_skip_file_permissions_check flag not being respected when reading connections.toml.
  • Fixed JSONDecodeError in result_batch._load() when fetching large result sets

Commits

• c2b2ba7 Bump up version to 4.5.0 (#2867)
• 0bf4f41 Fix flaky QCC integration test by mocking server response (#2866)
• f80224c SNOW-3472780 Azure Impersonation Support for WIF Authentication (#2863)
• 21f0ceb Fix write_pandas temp stage name collisions in forked processes (SNOW-3481510...
• a264b04 SNOW-3445811 migrate node labels to snowos, remove temptest-deployed svn_revi...
• f4fa78d SNOW-1902886: Validate account input (#2591)
• b14f940 SNOW-1184290: Skip CREATE TABLE IF NOT EXISTS when auto_create_table (#2791)
• 68d12a3 SNOW-2875919 Use metadata.google.internal for GCP WIF to support IPv6-only in...
• d036627 SNOW-1794102 Fix SKIP_TOKEN_FILE_PERMISSIONS_VERIFICATION (#2861)
• b395c4c SNOW-3258702: include libc family/version in client session metadata. (#2860)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)