chore(deps): bump crossbeam-epoch, anyhow, memmap2 for RustSec advisories (#670)#671
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #670
Root cause
cargo auditonorigin/main(b4590ca) reports 3 vulnerabilities and 6 warnings against transitive/direct deps inCargo.lock:crossbeam-epoch 0.9.18— RUSTSEC-2026-0204 (vulnerability, invalid pointer deref infmt::PointerforAtomic/Shared)anyhow 1.0.102— RUSTSEC-2026-0190 (unsound,Error::downcast_mut())memmap2 0.9.10— RUSTSEC-2026-0186 (unsound, unchecked pointer offset)All three have semver-compatible fixed releases, so a lockfile bump is sufficient — no manifest edits needed.
Fix
Lockfile-only updates via
cargo update -p:crossbeam-epoch0.9.18 → 0.9.20anyhow1.0.102 → 1.0.103memmap20.9.10 → 0.9.11Not fixed here (out of scope for a triage-bot PR)
pyo3 0.24.2(RUSTSEC-2026-0176, RUSTSEC-2026-0177) requires bump to>=0.29.0. That is 5 major-version jumps with API-breaking changes acrosscrates/fff-python/src/{lib,finder,types,conversions}.rs. Grep confirms the vulnerable APIs (PyList::nth/PyTuple::nth,PyCFunction::new_closure) are not used in this crate, so exposure is nil. Leaving for @dmtrKovalenko to schedule as a dedicated bump.git2 0.20.4(RUSTSEC-2026-0183, RUSTSEC-2026-0184) — no fixed release in the 0.20.x line;Remote::list()andBlameHunk::signature()are not called anywhere in the workspace (grep clean).rand 0.8.5(RUSTSEC-2026-0097) — dev-dep / transitive viaphf_generator, not in the runtime path.bincode 1.3.3(RUSTSEC-2025-0141, unmaintained) — transitive viaheed-types; upstream must move first.Steps to reproduce
git fetch origin main git checkout b4590ca cargo install cargo-audit --locked # if not installed cargo auditExpected on pre-fix
main:with
crossbeam-epoch 0.9.18,pyo3 0.24.2x2 listed as vulnerabilities.How verified
Post-fix
cargo audit:RUSTSEC-2026-0204, -0190, -0186 no longer reported.
Automated triage via Gustav. Honk-Honk 🪿