Skip to content

test: cover security dependency pins#125

Merged
saagpatel merged 1 commit into
masterfrom
codex/test/security-dependency-pins
May 31, 2026
Merged

test: cover security dependency pins#125
saagpatel merged 1 commit into
masterfrom
codex/test/security-dependency-pins

Conversation

@saagpatel

@saagpatel saagpatel commented May 31, 2026
edited
Loading

Copy link
Copy Markdown
Owner

What

  • Add Rust lockfile regression tests for patched security dependency floors.
  • Bump the locked tmp resolution used by JS tooling to clear the high pnpm audit finding.
  • Clarify the cargo-audit lz4_flex note so it reflects the actual vulnerable ranges instead of implying every locked lz4_flex copy must be 0.12.1.

Why

  • PR fix(deps): resolve high dependency alerts #110 is now conflicting and stale against current master, but the useful security regression coverage is still worth landing.
  • Current master already has patched openssl and hickory versions; lz4_flex has multiple locked versions, all outside the advisory vulnerable ranges.
  • CI surfaced a high tmp <0.2.6 advisory through developer tooling, so this PR also carries the narrow lockfile remediation needed to merge cleanly.

How

  • Parse Cargo.lock package entries in a targeted integration test.
  • Assert openssl >= 0.10.79, hickory-proto >= 0.26.1, and every lz4_flex version is outside <=0.11.5 and 0.12.0.
  • Update the tmp override/lockfile entries from 0.2.5-compatible ranges to 0.2.6.

Testing

  • Commands run:
    • rustfmt --check tests/security_dependency_versions.rs
    • cargo test --test security_dependency_versions
    • bash scripts/security/run-cargo-audit.sh
    • pnpm audit --audit-level high
  • Results:
    • rustfmt passed.
    • dependency version test passed: 3 passed.
    • cargo audit exited 0 with the existing allowed yanked-crate warnings.
    • pnpm audit exited 0; only moderate findings remain.

Performance impact

  • Bundle delta: none expected.
  • Build time delta: none expected outside one small test target.
  • Lighthouse delta: none.
  • API latency delta: none.
  • DB query delta: none.

Risk / Notes

  • This intentionally avoids the stale PR fix(deps): resolve high dependency alerts #110 dependency churn that would downgrade newer master dependencies.
  • Repo-wide cargo fmt --check still reports pre-existing formatting drift outside this patch, so verification used rustfmt on the new test file.
  • Local pnpm install --lockfile-only was blocked by machine policy; the lockfile delta is narrow and CI runs frozen install.

Screenshots (UI only)

  • N/A.

Lockfile rationale (if lockfile changed)

  • tmp is locked to 0.2.6 to clear GHSA-ph9p-34f9-6g65 for JS tooling paths while preserving the existing dependency graph shape.

@saagpatel saagpatel force-pushed the codex/test/security-dependency-pins branch from 27aba54 to 9fb057e Compare May 31, 2026 08:03
@saagpatel saagpatel merged commit 97339db into master May 31, 2026
46 checks passed
@saagpatel saagpatel deleted the codex/test/security-dependency-pins branch May 31, 2026 08:11
@saagpatel saagpatel mentioned this pull request May 31, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@saagpatel