chore(deps): bump anyhow 1.0.103 + quinn-proto 0.11.15 (clear fixable RUSTSEC-2026 advisories)#46
Conversation
…le RUSTSEC-2026 advisories Closes the two RustSec advisories that HAVE a fix (lockfile-only, both within the declared semver ranges; verified gone via cargo-audit): - RUSTSEC-2026-0190 — unsoundness (UB) in `anyhow::Error::downcast_mut` -> anyhow 1.0.103 - RUSTSEC-2026-0185 — quinn-proto -> 0.11.15 Left in place (no fix available; NOT ignored, per the repo's `ignore = []` policy — this is the irreducible set that keeps Security Audit red on `main` too, until upstream moves): - RUSTSEC-2026-0097 (rand, unsound only with a custom logger + `rand::rng()`) — rand is already at latest, no patched release yet, and victauri does not use that pattern. - The unmaintained gtk3 stack (atk/gdk/gtk/glib/gtk3-macros/... via tauri) + fxhash, instant, proc-macro-error, unic-* — abandoned crates with no maintained replacement until tauri migrates off gtk3. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01W3W4WofCBkV9TgYAzjTdM7
|
Correction to the PR description. I under-claimed: CI has now shown Security Audit ✅ and Dependency Checks ✅ both PASS on this branch. I'd assumed the unmaintained gtk3 stack ( Net: this turns the advisory gates green with a two-line lockfile change; it also unblocks #45's advisory checks once this lands on |
What
Lockfile-only bump of the two dependencies with a published fix for a live RustSec advisory:
RUSTSEC-2026-0190— unsoundness (UB) inanyhow::Error::downcast_mut→ anyhow 1.0.102 → 1.0.103RUSTSEC-2026-0185—quinn-proto→ 0.11.14 → 0.11.15Both are within the declared semver ranges (no
Cargo.tomlchange). Verified withcargo audit: both advisories are gone from the scan after the bump.Why not the rest
The remaining advisories have no fix, so they're left in place (the repo's
deny.tomlisignore = []by policy — this is the same irreducible set that keeps Security Audit red onmaintoo, e.g. commit92e854d):RUSTSEC-2026-0097(rand, unsound only with a custom logger +rand::rng()) —randis already at its latest release, no patched version exists yet, and victauri does not use that pattern.atk,gdk,gtk,glib,gtk3-macros, …, all transitive viatauri) plusfxhash,instant,proc-macro-error,unic-*— abandoned crates with no maintained replacement until tauri migrates off gtk3.So this PR reduces the vulnerable-dependency surface (closes the 2 fixable 2026 advisories) but does not turn Security Audit / Dependency Checks green — that requires either upstream fixes for the abandoned crates or a
deny.tomlignore policy, which is a maintainer decision, deliberately not made here.The pre-push gate (full workspace build + test + clippy + fmt) passed on the bumped lockfile.
🤖 Generated with Claude Code