Skip to content

Commit e1f5763

Browse files
authored
fix: audit test failures (#1099)
## Summary Resolves a critical security advisory in a transitive dependency. [RUSTSEC-2026-0037 — quinn-proto Denial of Service](https://rustsec.org/advisories/RUSTSEC-2026-0037) Receiving QUIC transport parameters containing invalid values could lead to a panic due to unwrap() calls in the transport parameters parsing code. CVSS 4.0 score: High (AV:N/AC:L/AT:N/PR:N/UI:N/VA:H) ## Root cause quinn-proto 0.11.13 was pulled in transitively via: reqwest → quinn → quinn-proto ## Fix Bumped quinn-proto from 0.11.13 to 0.11.14 (the patched version) by running: cargo update quinn-proto Only Cargo.lock is changed — no direct dependency declarations needed updating since quinn-proto is a transitive dep. ## Notes The audit also reported 6 unmaintained warnings (async-std, buf_redux, multipart, rustls-pemfile, safemem, twoway). These are informational only and did not cause the CI failure — they have no patched versions available and are tracked separately. ### What actually happened with itertools: quinn-proto 0.11.13 depended on itertools 0.13.0. quinn-proto 0.11.14 dropped that dependency entirely. itertools 0.13.0 was removed from the lock file because nothing else needs it anymore. bindgen also uses itertools, but its version constraint accepts ^0.11. While 0.13.0 was present (shared with quinn-proto), cargo resolved bindgen to use it. Once 0.13.0 was gone, cargo resolved bindgen to 0.11.0 — which was already in the lock file for some other crate, so it's just re-using what's there. This isn't a real downgrade for bindgen; 0.11.0 is fully within its declared constraint. ### Why not itertools 0.14.0? `cargo update quinn-proto` is deliberately minimal — it only changes what's necessary to resolve quinn-proto's update and nothing else. It won't opportunistically upgrade unrelated crates like itertools for bindgen. To get 0.14.0 you'd need to run cargo update itertools separately, but that's a separate concern and would need its own testing/review.
1 parent b84f9cf commit e1f5763

File tree

1 file changed

+3
-12
lines changed

1 file changed

+3
-12
lines changed

bottlecap/Cargo.lock

Lines changed: 3 additions & 12 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)