Skip to content

Fix cargo audit vulnerabilities (2026-05-11)#54

Open
la10736 wants to merge 1 commit into
mainfrom
md/fix-audit-2026-05-11
Open

Fix cargo audit vulnerabilities (2026-05-11)#54
la10736 wants to merge 1 commit into
mainfrom
md/fix-audit-2026-05-11

Conversation

@la10736
Copy link
Copy Markdown
Contributor

@la10736 la10736 commented May 11, 2026

Summary

  • Updated 4 crates to fix vulnerabilities directly:
    • bytes 1.10.1 → 1.11.1 (RUSTSEC-2026-0007: integer overflow in BytesMut::reserve)
    • rustls-webpki 0.103.4 → 0.103.13 (fixes RUSTSEC-2026-0049, -0098, -0099, -0104)
    • quinn-proto 0.11.13 → 0.11.14 (RUSTSEC-2026-0037: DoS in Quinn endpoints)
    • time 0.3.43 → 0.3.47 (RUSTSEC-2026-0009: stack exhaustion DoS)
  • Rebuilt ignore list from scratch — removed stale RUSTSEC-2024-0336 entry, added 21 new motivated ignore entries grouped by source:
    • hickory-proto (libp2p/litep2p transitive, no compatible update)
    • rustls-webpki 0.101.7/0.102.8 (pinned by major version boundary, primary 0.103 path already fixed)
    • wasmtime 8.0.1 (polkadot-sdk): Component Model not used, WASI not used, Winch not used, non-default config not triggered
    • keccak (ARMv8 asm feature not enabled), rand (custom logger not used), lru (IterMut not exercised)
  • cargo audit now passes cleanly (0 errors, 0 denied warnings)

Test plan

  • cargo audit returns 0 errors and 0 denied warnings
  • Verify cargo check still compiles successfully

🤖 Generated with Claude Code

@la10736 @claude
Fix cargo audit: update 4 crates, add 21 new ignore entries
6913a43 
Updated dependencies:
- bytes 1.10.1 → 1.11.1 (RUSTSEC-2026-0007)
- rustls-webpki 0.103.4 → 0.103.13 (4 advisories)
- quinn-proto 0.11.13 → 0.11.14 (RUSTSEC-2026-0037)
- time 0.3.43 → 0.3.47 (RUSTSEC-2026-0009)

Rebuilt ignore list from scratch:
- Removed stale RUSTSEC-2024-0336 (no longer fires)
- Added 21 new entries for wasmtime, hickory-proto, rustls-webpki,
  keccak, and rand advisories with motivated comments
- Refreshed existing entries with updated comments

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@la10736 la10736 requested review from 95DDB and drgora May 11, 2026 13:28
drgora
drgora approved these changes May 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@drgora drgora left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@drgora drgora drgora approved these changes

@95DDB 95DDB Awaiting requested review from 95DDB

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@la10736 @drgora