fix(deps): patch dependabot advisories + CTF cred housekeeping#105
Closed
fix(deps): patch dependabot advisories + CTF cred housekeeping#105
Conversation
The cyber range layers contain plaintext passwords and an ed25519 private key that are part of the test fixture, not real secrets. Automated secret scanners were repeatedly flagging them. Add a paths-ignore for range/ to GitHub secret scanning, a top-level CTF-NOTICE explaining the fictional nature of the directory, and inline markers next to the chpasswd lines and the leaked-key layer. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes 8 open dependabot alerts via transitive lockfile bumps: - rustls-webpki 0.103.9 -> 0.103.13 — CRL/URI/wildcard name-constraint handling and panic-on-malformed-CRL DoS (alerts #27 #42 #43 #47) - rand 0.8.5 -> 0.8.6 and 0.9.2 -> 0.9.4 — soundness fix for callers using a custom logger with rand::rng() (#45 #46) - h3 1.15.8 -> 1.15.11 (website) — path traversal via double-decoded %252e%252e in serveStatic and SSE event injection via unsanitized carriage return (#24 #25) No direct dependency edits; all bumps are transitive.
4 tasks
Contributor
Author
|
Superseded by #106 (rebranched from misnamed |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
standards/submodule to currentmain(adds playwright/vitest/banned-words guides).Commits
224aa47fix(deps): patch security advisories — closes chore: release main #24 chore: release main #25 chore: release main #27 Relay Upstream Reconnect #42 Indeterminate Role (Phase 13b) #43 chore: release v0.3.0 #45 chore: release v0.3.1 #46 Protobuf Boundary Safety — wire crate #47ecdfd41chore(range): mark CTF credentials as fictional — adds.github/secret_scanning.yml(paths-ignore: range/**),range/CTF-NOTICE.md, and inline markers next to thechpasswdlines634147dchore: bump standards submoduleRelease
The
fix(deps):commit triggers a patch release (v0.15.0→v0.15.1) on merge perprepare-release.pyrules.Verified
cargo test --allpasses on bumped lockfile (257 passed, 1 ignored)cargo check --allpassesrange/vm/build/are gitignored; only the layer sources changedHow to verify
range/CTF-NOTICE.mdand the.github/secret_scanning.ymlpaths-ignorestandards/submodule pointer moves from0c5d454→39e0764