Commit 39db302
fix: clear 3 RUSTSEC advisories via dep bumps + ignore-list sync (#110)
Three-part fix for #102 (originally scoped to rand; expanded to clear
two adjacent advisories that surfaced once rand was no longer the
loudest noise in cargo audit):
1. `cargo update -p rand@0.9.2` → 0.9.4. Clears RUSTSEC-2026-0097
for the 0.9.x instance (pulled via uuid, quinn-proto, debugid).
2. `cargo update -p wasmtime@43.0.1` → 43.0.2. Clears RUSTSEC-2026-0114
(panic on table allocation exceeding host address space).
3. `cargo update -p rustls-webpki` → 0.103.13. Clears RUSTSEC-2026-0104
(reachable panic in CRL parsing).
All three are within-minor patch bumps; no Cargo.toml edits needed
because the existing version constraints were range-compatible.
The residual `rand 0.8.5` transitive (via regorus 0.2.8 policy engine)
cannot be patched without an upstream regorus release that bumps to
rand 0.9+. wsc does not use custom rand loggers, so the unsoundness
from RUSTSEC-2026-0097 does not affect us. deny.toml already had this
ignore; this commit adds the matching `--ignore RUSTSEC-2026-0097`
flag to the cargo-audit CI step so the two ignore lists stay aligned.
Effect:
before: cargo audit → 4 vulnerabilities (rand x2, wasmtime, webpki)
after: cargo audit → 0 vulnerabilities (with --ignore list applied)
Fixes: #102
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>1 parent 64f4f54 commit 39db302
2 files changed
Lines changed: 74 additions & 68 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
47 | 47 | | |
48 | 48 | | |
49 | 49 | | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
50 | 55 | | |
51 | 56 | | |
52 | 57 | | |
| |||
56 | 61 | | |
57 | 62 | | |
58 | 63 | | |
59 | | - | |
| 64 | + | |
| 65 | + | |
60 | 66 | | |
61 | 67 | | |
62 | 68 | | |
| |||
0 commit comments