Skip to content

fix(deps): resolve in-range RustSec advisories (anyhow, crossbeam-epoch, quinn-proto)#3

Open
gortavoher wants to merge 1 commit into
mainfrom
fix/rustsec-anyhow-crossbeam
Open

fix(deps): resolve in-range RustSec advisories (anyhow, crossbeam-epoch, quinn-proto)#3
gortavoher wants to merge 1 commit into
mainfrom
fix/rustsec-anyhow-crossbeam

Conversation

@gortavoher

Copy link
Copy Markdown
Contributor

Lockfile-only bumps that clear the in-range-resolvable RustSec advisories:

Advisory Crate Fix
RUSTSEC-2026-0190 anyhow 1.0.102 → 1.0.103
RUSTSEC-2026-0204 crossbeam-epoch 0.9.18 (transitive) → 0.9.20
RUSTSEC-2026-0185 quinn-proto 0.11.14 → 0.11.15

Verified: clippy --all --tests --all-features -D warnings clean, fmt --check clean, tests green.

⚠️ Still outstanding (separate effort — need out-of-range/manifest bumps)

cargo audit remains red on this repo due to:

  • quick-xml — RUSTSEC-2026-0194, RUSTSEC-2026-0195 (0.39.4 does not patch; needs ≥0.40)
  • rustls-webpki — RUSTSEC-2026-0098, 0099, 0104 (deep in the TLS stack; likely cascades to rustls/reqwest)

These require manifest changes and dependency-tree review, so they're out of scope for this lockfile sweep.

🤖 Generated with Claude Code

Lockfile-only bumps that clear three advisories:
- RUSTSEC-2026-0190: anyhow 1.0.102 -> 1.0.103 (downcast_mut UB)
- RUSTSEC-2026-0204: crossbeam-epoch 0.9.18 -> 0.9.20 (transitive)
- RUSTSEC-2026-0185: quinn-proto 0.11.14 -> 0.11.15 (remote mem exhaustion)

tcc-data still has advisories requiring out-of-range/manifest bumps
(quick-xml RUSTSEC-2026-0194/0195; rustls-webpki RUSTSEC-2026-0098/0099/0104)
that need a separate dependency-update effort.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: Jeremiah Russell <jerry@jrussell.ie>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant