Skip to content

chore(deps): bump crossbeam-epoch, anyhow, memmap2 for RustSec advisories (#670)#671

Merged
dmtrKovalenko merged 1 commit into
mainfrom
triage-bot/issue-670
Jul 11, 2026
Merged

chore(deps): bump crossbeam-epoch, anyhow, memmap2 for RustSec advisories (#670)#671
dmtrKovalenko merged 1 commit into
mainfrom
triage-bot/issue-670

Conversation

@gustav-fff

Copy link
Copy Markdown
Collaborator

Closes #670

Root cause

cargo audit on origin/main (b4590ca) reports 3 vulnerabilities and 6 warnings against transitive/direct deps in Cargo.lock:

  • crossbeam-epoch 0.9.18 — RUSTSEC-2026-0204 (vulnerability, invalid pointer deref in fmt::Pointer for Atomic/Shared)
  • anyhow 1.0.102 — RUSTSEC-2026-0190 (unsound, Error::downcast_mut())
  • memmap2 0.9.10 — RUSTSEC-2026-0186 (unsound, unchecked pointer offset)

All three have semver-compatible fixed releases, so a lockfile bump is sufficient — no manifest edits needed.

Fix

Lockfile-only updates via cargo update -p:

  • crossbeam-epoch 0.9.18 → 0.9.20
  • anyhow 1.0.102 → 1.0.103
  • memmap2 0.9.10 → 0.9.11

Not fixed here (out of scope for a triage-bot PR)

  • pyo3 0.24.2 (RUSTSEC-2026-0176, RUSTSEC-2026-0177) requires bump to >=0.29.0. That is 5 major-version jumps with API-breaking changes across crates/fff-python/src/{lib,finder,types,conversions}.rs. Grep confirms the vulnerable APIs (PyList::nth/PyTuple::nth, PyCFunction::new_closure) are not used in this crate, so exposure is nil. Leaving for @dmtrKovalenko to schedule as a dedicated bump.
  • git2 0.20.4 (RUSTSEC-2026-0183, RUSTSEC-2026-0184) — no fixed release in the 0.20.x line; Remote::list() and BlameHunk::signature() are not called anywhere in the workspace (grep clean).
  • rand 0.8.5 (RUSTSEC-2026-0097) — dev-dep / transitive via phf_generator, not in the runtime path.
  • bincode 1.3.3 (RUSTSEC-2025-0141, unmaintained) — transitive via heed-types; upstream must move first.

Steps to reproduce

git fetch origin main
git checkout b4590ca
cargo install cargo-audit --locked  # if not installed
cargo audit

Expected on pre-fix main:

error: 3 vulnerabilities found!
warning: 6 allowed warnings found

with crossbeam-epoch 0.9.18, pyo3 0.24.2 x2 listed as vulnerabilities.

How verified

cargo update -p crossbeam-epoch -p anyhow -p memmap2
cargo check --workspace   # clean
cargo test -p fff-search --lib   # 103 passed; 0 failed
cargo audit

Post-fix cargo audit:

error: 2 vulnerabilities found!   # both pyo3, see "Not fixed here"
warning: 4 allowed warnings found

RUSTSEC-2026-0204, -0190, -0186 no longer reported.

Automated triage via Gustav. Honk-Honk 🪿

…ries (#670)

- crossbeam-epoch 0.9.18 -> 0.9.20 (RUSTSEC-2026-0204, vulnerability)
- anyhow 1.0.102 -> 1.0.103 (RUSTSEC-2026-0190, unsound)
- memmap2 0.9.10 -> 0.9.11 (RUSTSEC-2026-0186, unsound)

Lockfile-only, no manifest bumps required (all semver-compatible).

Refs #670
@dmtrKovalenko dmtrKovalenko merged commit 44a5b25 into main Jul 11, 2026
52 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Fix rust sec issues

2 participants