fix: clear 3 RUSTSEC advisories (rand + wasmtime + rustls-webpki)#110
Merged
Conversation
Three-part fix for #102 (originally scoped to rand; expanded to clear two adjacent advisories that surfaced once rand was no longer the loudest noise in cargo audit): 1. `cargo update -p rand@0.9.2` → 0.9.4. Clears RUSTSEC-2026-0097 for the 0.9.x instance (pulled via uuid, quinn-proto, debugid). 2. `cargo update -p wasmtime@43.0.1` → 43.0.2. Clears RUSTSEC-2026-0114 (panic on table allocation exceeding host address space). 3. `cargo update -p rustls-webpki` → 0.103.13. Clears RUSTSEC-2026-0104 (reachable panic in CRL parsing). All three are within-minor patch bumps; no Cargo.toml edits needed because the existing version constraints were range-compatible. The residual `rand 0.8.5` transitive (via regorus 0.2.8 policy engine) cannot be patched without an upstream regorus release that bumps to rand 0.9+. wsc does not use custom rand loggers, so the unsoundness from RUSTSEC-2026-0097 does not affect us. deny.toml already had this ignore; this commit adds the matching `--ignore RUSTSEC-2026-0097` flag to the cargo-audit CI step so the two ignore lists stay aligned. Effect: before: cargo audit → 4 vulnerabilities (rand x2, wasmtime, webpki) after: cargo audit → 0 vulnerabilities (with --ignore list applied) Fixes: #102 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
f831034 to
7c22d1e
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
5 tasks
avrabe
added a commit
that referenced
this pull request
May 11, 2026
Patch release bundling four merged PRs: #107 — cargo-deny CI step hardening (closes #103) #108 — discharge lemma_le64_injective Verus admit (audit C-1 partial) #109 — repair fuzz_public_key target (audit follow-up from #98) #110 — clear 3 RUSTSEC advisories via dep bumps (fixes #102) Companion work on 0.8.2+next: #111 — criterion benches for signature verification (#89) #112 — lift Kani wasm_module mask; document merkle + format See CHANGELOG.md for the full release notes. Trace: skip Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
5 tasks
avrabe
added a commit
that referenced
this pull request
May 16, 2026
The audit fix in PR #110 bumped rand 0.9.x to 0.9.4 but left the residual rand 0.8.5 in place (pulled by regorus 0.2.8). That instance was carried under an --ignore RUSTSEC-2026-0097 in supply-chain.yml and deny.toml with a comment "tracked for upstream resolution; sigil does not use custom rand loggers." regorus 0.10 is now out and drops the rand 0.8.5 transitive from the dep graph entirely. With it gone, the ignore entry in deny.toml and the matching --ignore flag in supply-chain.yml are no longer needed — cargo audit returns 0 vulnerabilities (excluding the unmaintained rustls-pemfile, which stays in the ignore list pending upstream deprecation). The regorus dep is feature-gated behind `--features rego` and is optional for power users of the Rego policy language; default builds do not use it. cargo build (default), cargo build --features rego, and cargo test --no-run --features rego all clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
avrabe
added a commit
that referenced
this pull request
May 16, 2026
The audit fix in PR #110 bumped rand 0.9.x to 0.9.4 but left the residual rand 0.8.5 in place (pulled by regorus 0.2.8). That instance was carried under an --ignore RUSTSEC-2026-0097 in supply-chain.yml and deny.toml with a comment "tracked for upstream resolution; sigil does not use custom rand loggers." regorus 0.10 is now out and drops the rand 0.8.5 transitive from the dep graph entirely. With it gone, the ignore entry in deny.toml and the matching --ignore flag in supply-chain.yml are no longer needed — cargo audit returns 0 vulnerabilities (excluding the unmaintained rustls-pemfile, which stays in the ignore list pending upstream deprecation). The regorus dep is feature-gated behind `--features rego` and is optional for power users of the Rego policy language; default builds do not use it. cargo build (default), cargo build --features rego, and cargo test --no-run --features rego all clean. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Three-part fix for #102. Originally scoped to `rand`; expanded to clear two adjacent advisories that surfaced in CI once rand was no longer the loudest noise.
Changes (all Cargo.lock only; no Cargo.toml edits)
All three are within-minor patch bumps. Existing version constraints in `Cargo.toml` were already range-compatible.
CI-side change
The `cargo audit` step in `supply-chain.yml` had its own inline `--ignore` list that was out of sync with `deny.toml [advisories].ignore`. Added the matching `--ignore RUSTSEC-2026-0097` for the residual `rand 0.8.5` transitive that cannot be patched here (it's pulled by `regorus 0.2.8`, the OPA / Rego policy engine, which needs an upstream release bumping its rand pin to 0.9+).
`wsc` does not use custom rand loggers, so the unsoundness described by RUSTSEC-2026-0097 does not affect us — `deny.toml` already carries this justification.
Before / after
```
before: cargo audit → 4 vulnerabilities (rand x2, wasmtime, webpki)
after: cargo audit → 0 vulnerabilities (with the --ignore list applied)
```
Test plan
Fixes #102.