Skip to content

Commit 263c5db

Browse files
authored
chore(deps): document upstream blocker for RUSTSEC-2025-0134 suppression (#1542)
Update deny.toml comment for rustls-pemfile unmaintained advisory to reference qdrant/rust-client#255 (tonic 0.14 upgrade). No code change is possible until qdrant-client ships a release with the updated tonic.
1 parent 8b7b966 commit 263c5db

2 files changed

Lines changed: 3 additions & 2 deletions

File tree

.github/deny.toml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,8 +10,8 @@ features = ["candle", "tui"]
1010
[advisories]
1111
db-path = "~/.cargo/advisory-db"
1212
db-urls = ["https://github.com/rustsec/advisory-db"]
13-
# rustls-pemfile unmaintained (via qdrant-client -> tonic)
14-
# Cannot fix directly, monitoring upstream
13+
# rustls-pemfile unmaintained (RUSTSEC-2025-0134, via qdrant-client -> tonic 0.12)
14+
# Blocked on qdrant/rust-client#255 (tonic 0.14 upgrade removes rustls-pemfile)
1515
# number_prefix unmaintained (via indicatif -> hf-hub, candle transitive dep)
1616
ignore = ["RUSTSEC-2025-0134", "RUSTSEC-2024-0436"]
1717

CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
1010

1111
- `McpLspProvider` was sending `"uri"` as the parameter key to all mcpls tool calls, but mcpls 0.3.4 expects `"file_path"`. All six methods (`hover`, `definition`, `references`, `diagnostics`, `document_symbols`, `code_actions`) are fixed. `code_actions` additionally now sends flat `start_line`/`start_character`/`end_line`/`end_character` fields instead of a nested `range` object, matching the mcpls `get_code_actions` schema. Fixes #1533.
1212
- `--init` wizard generated unsupported `--workspace-root` flag for mcpls. The wizard now writes `.zeph/mcpls.toml` (with workspace roots, language extensions, and rust-analyzer LSP server config) and passes `--config .zeph/mcpls.toml` to mcpls instead. Fixes broken LSP setup for all users who configured mcpls via `zeph init`. (#1534)
13+
- Update `deny.toml` suppression comment for RUSTSEC-2025-0134 (`rustls-pemfile` unmaintained) to reference upstream tracking issue qdrant/rust-client#255 (tonic 0.14 upgrade that removes the dependency); no code change possible until upstream ships a release.
1314
- Shell command blocklist (`blocked_commands`, `DEFAULT_BLOCKED`, `allow_network = false`) was silently skipped whenever a `PermissionPolicy` was attached to `ShellExecutor` (i.e., in all normal operation with `autonomy_level` set). `find_blocked_command()` now runs unconditionally before the policy check, making it a hard security boundary that cannot be bypassed by any autonomy level or permission policy configuration.
1415

1516
### Added

0 commit comments

Comments
 (0)