Skip to content

chore(deps): bump vulnerable transitive deps#425

Merged
SachaMorard merged 1 commit into
mainfrom
chore/bump-vulnerable-deps
May 20, 2026
Merged

chore(deps): bump vulnerable transitive deps#425
SachaMorard merged 1 commit into
mainfrom
chore/bump-vulnerable-deps

Conversation

@SachaMorard
Copy link
Copy Markdown
Member

@SachaMorard SachaMorard commented May 20, 2026

Summary

Bumps four transitive crates in Cargo.lock to clear all 13 open Dependabot alerts on main. Cargo.toml already allows these versions, so no manifest changes are needed.

Crate From To Alerts
bytes 1.11.0 1.11.1 #20 (BytesMut::reserve integer overflow)
openssl 0.10.75 0.10.80 #27#35 (AES KW OOB writes/heap overflow, X509 OCSP UB, Deriver short-buffer overflow, PSK/cookie trampoline leak, MdCtxRef::digest_final OOB, PEM cb OOB read)
openssl-sys 0.9.111 0.9.116 (pulled in with openssl)
rand 0.9.2 0.9.4 #26 (custom logger unsoundness)
rustls-webpki 0.103.8 0.103.13 #22, #24, #25, #32 (CRL DoS, name-constraint handling, CRL distribution-point matching)

Test plan

  • cargo build clean
  • cargo test — 8 unit + 5 doc tests passing
  • Confirm Dependabot closes the listed alerts after merge

🤖 Generated with Claude Code

@SachaMorard @claude
chore(deps): bump vulnerable transitive deps
27929f1 
Update Cargo.lock to clear open Dependabot alerts on transitive crates:

- bytes 1.11.0 -> 1.11.1 (GHSA: BytesMut::reserve integer overflow)
- openssl 0.10.75 -> 0.10.80 / openssl-sys 0.9.111 -> 0.9.116
  (covers OOB writes in cipher_update_inplace, AES key-wrap heap overflow,
  X509Ref::ocsp_responders UB, AES key wrap bounds, PSK/cookie trampoline
  leaks, MdCtxRef::digest_final write past buffer, PEM password callback
  OOB read, Deriver::derive short buffer overflow)
- rand 0.9.2 -> 0.9.4 (custom logger unsoundness)
- rustls-webpki 0.103.8 -> 0.103.13 (DoS on malformed CRL BIT STRING,
  URI/wildcard name constraint handling, CRL distribution point matching)

No source changes; Cargo.toml constraints already allow these versions.
Build and tests pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@SachaMorard SachaMorard requested a review from a team as a code owner May 20, 2026 04:03
@SachaMorard SachaMorard merged commit a6f9deb into main May 20, 2026
12 checks passed
@SachaMorard SachaMorard deleted the chore/bump-vulnerable-deps branch May 20, 2026 04:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SachaMorard