Skip to content

chore(deps): bump anyhow 1.0.103 + quinn-proto 0.11.15 (clear fixable RUSTSEC-2026 advisories)#46

Merged
runyourempire merged 1 commit into
mainfrom
chore/advisory-bumps
Jul 1, 2026
Merged

chore(deps): bump anyhow 1.0.103 + quinn-proto 0.11.15 (clear fixable RUSTSEC-2026 advisories)#46
runyourempire merged 1 commit into
mainfrom
chore/advisory-bumps

Conversation

@runyourempire

Copy link
Copy Markdown
Collaborator

What

Lockfile-only bump of the two dependencies with a published fix for a live RustSec advisory:

  • RUSTSEC-2026-0190 — unsoundness (UB) in anyhow::Error::downcast_mutanyhow 1.0.102 → 1.0.103
  • RUSTSEC-2026-0185quinn-proto0.11.14 → 0.11.15

Both are within the declared semver ranges (no Cargo.toml change). Verified with cargo audit: both advisories are gone from the scan after the bump.

Why not the rest

The remaining advisories have no fix, so they're left in place (the repo's deny.toml is ignore = [] by policy — this is the same irreducible set that keeps Security Audit red on main too, e.g. commit 92e854d):

  • RUSTSEC-2026-0097 (rand, unsound only with a custom logger + rand::rng()) — rand is already at its latest release, no patched version exists yet, and victauri does not use that pattern.
  • The unmaintained gtk3 stack (atk, gdk, gtk, glib, gtk3-macros, …, all transitive via tauri) plus fxhash, instant, proc-macro-error, unic-* — abandoned crates with no maintained replacement until tauri migrates off gtk3.

So this PR reduces the vulnerable-dependency surface (closes the 2 fixable 2026 advisories) but does not turn Security Audit / Dependency Checks green — that requires either upstream fixes for the abandoned crates or a deny.toml ignore policy, which is a maintainer decision, deliberately not made here.

The pre-push gate (full workspace build + test + clippy + fmt) passed on the bumped lockfile.

🤖 Generated with Claude Code

…le RUSTSEC-2026 advisories

Closes the two RustSec advisories that HAVE a fix (lockfile-only, both within the
declared semver ranges; verified gone via cargo-audit):

- RUSTSEC-2026-0190 — unsoundness (UB) in `anyhow::Error::downcast_mut` -> anyhow 1.0.103
- RUSTSEC-2026-0185 — quinn-proto -> 0.11.15

Left in place (no fix available; NOT ignored, per the repo's `ignore = []` policy — this
is the irreducible set that keeps Security Audit red on `main` too, until upstream moves):
- RUSTSEC-2026-0097 (rand, unsound only with a custom logger + `rand::rng()`) — rand is
  already at latest, no patched release yet, and victauri does not use that pattern.
- The unmaintained gtk3 stack (atk/gdk/gtk/glib/gtk3-macros/... via tauri) + fxhash,
  instant, proc-macro-error, unic-* — abandoned crates with no maintained replacement
  until tauri migrates off gtk3.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01W3W4WofCBkV9TgYAzjTdM7
@runyourempire

Copy link
Copy Markdown
Collaborator Author

Correction to the PR description. I under-claimed: CI has now shown Security Audit ✅ and Dependency Checks ✅ both PASS on this branch. I'd assumed the unmaintained gtk3 stack (atk/gdk/gtk/…) would keep them red, but CI runs plain cargo audit (which treats unmaintained/unsound as non-failing warnings) and cargo-deny with unmaintained = "workspace" (transitive gtk3 isn't denied). So the checks were failing only on the two fixable advisories — RUSTSEC-2026-0185 (quinn-proto, a vulnerability) and RUSTSEC-2026-0190 (anyhow, unsound, denied by cargo-deny) — and this bump clears both. The remaining unmaintained/unsound entries (rand, glib, gtk3 stack) stay as warnings and do not fail either gate.

Net: this turns the advisory gates green with a two-line lockfile change; it also unblocks #45's advisory checks once this lands on main.

@runyourempire runyourempire merged commit e6e578f into main Jul 1, 2026
21 checks passed
@runyourempire runyourempire deleted the chore/advisory-bumps branch July 1, 2026 14:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant