fix: update idna to resolve CVE-2024-12224#3

Draft

dannyneira wants to merge 1 commit into

mainfrom

independabot/idna-CVE-2024-12224

Member

dannyneira commented May 17, 2026

Summary

Updates the transitive Rust idna dependency from 0.4.0 to 1.1.0 via url 2.5.7 in Cargo.lock.
Resolves Dependabot alert: https://github.com/warpdotdev/graphql-ws-client/security/dependabot/6
Advisory: GHSA-h97m-ww89-6jmq / CVE-2024-12224

Details

idna was pulled in transitively through url -> tungstenite 0.21 -> tokio-tungstenite -> axum -> async-graphql-axum.
No direct dependency was added; the lockfile was refreshed with cargo update -p url --precise 2.5.7 so the existing dependency graph resolves to patched idna 1.1.0.
No Dependabot error was present for this alert.

Verification

cargo tree -i idna shows idna v1.1.0.
cargo audit no longer reports CVE-2024-12224 / GHSA-h97m-ww89-6jmq; it still reports unrelated pre-existing advisories for other packages.
cargo build passes.
cargo test passes.

Conversation: https://staging.warp.dev/conversation/037d7257-35d0-4480-b311-9a4b8441ecf8
Run: https://oz.staging.warp.dev/runs/019e36aa-7c51-76af-885c-8b70061e1ab5
This PR was generated with Oz.


          fix: update idna to resolve CVE-2024-12224

6c9cdf7

Co-Authored-By: Oz <oz-agent@warp.dev>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet