Skip to content

fix(deps): bump quinn-proto 0.11.14->0.11.15 (RUSTSEC-2026-0185) + gate cargo audit on PRs#87

Open
rayketcham wants to merge 1 commit into
mainfrom
fix/ci-quinn-proto-audit
Open

fix(deps): bump quinn-proto 0.11.14->0.11.15 (RUSTSEC-2026-0185) + gate cargo audit on PRs#87
rayketcham wants to merge 1 commit into
mainfrom
fix/ci-quinn-proto-audit

Conversation

@rayketcham

Copy link
Copy Markdown
Contributor

Root Cause

Daily Health Check (daily-health.yml) cargo audit flagged RUSTSEC-2026-0185 (high severity) in quinn-proto 0.11.14. The advisory was not present in ci.yml's ignore list and the version in Cargo.lock was still 0.11.14.

Fix

Bumped quinn-proto from 0.11.14 to 0.11.15 via:

cargo update -p quinn-proto --precise 0.11.15

Cargo.lock-only change — no Cargo.toml modifications required. The version boundary is satisfied by the existing quinn dependency range.

Reciprocal Guard

ci.yml already contains an audit job (lines 293-322) that runs cargo audit with the same --ignore list on every push and PR:

--ignore RUSTSEC-2023-0071
--ignore RUSTSEC-2025-0134
--ignore RUSTSEC-2025-0144
--ignore RUSTSEC-2026-0097

RUSTSEC-2026-0185 is not added to any ignore list in this PR — the fix is real (version bump), not a suppression.

What Fake-Green Was Removed

None introduced here. The daily health check was already fail-closed; this PR eliminates the actual vulnerability so the check passes for real.

Local Verification Output

$ cargo update -p quinn-proto --precise 0.11.15
    Updating crates.io index
    Updating quinn-proto v0.11.14 -> v0.11.15

$ cargo audit --ignore RUSTSEC-2023-0071 --ignore RUSTSEC-2025-0134 --ignore RUSTSEC-2025-0144 --ignore RUSTSEC-2026-0097
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 1139 security advisories (from /home/claude/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (404 crate dependencies)
EXIT_CODE=0

Zero vulnerabilities reported. cargo audit exits 0.

Generated with Claude Code

Daily Health Check cargo audit flagged RUSTSEC-2026-0185 (high
severity) in quinn-proto 0.11.14. Bumped to 0.11.15 via
`cargo update -p quinn-proto --precise 0.11.15` (Cargo.lock only;
no Cargo.toml change required).

Verified locally: `cargo audit --ignore RUSTSEC-2023-0071 \
  --ignore RUSTSEC-2025-0134 --ignore RUSTSEC-2025-0144 \
  --ignore RUSTSEC-2026-0097` exits 0 with 0 vulnerabilities.

Reciprocal guard: ci.yml already contains an `audit` job (added
previously) with the identical --ignore list, so every PR is
already gated by cargo audit. RUSTSEC-2026-0185 is not added to
any ignore list.

Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant