Skip to content

chore: update dependencies #180

Description

@dobby-coder

Security vulnerabilities (fix first)

CVE / Advisory Package Severity Current Fixed in Notes
RUSTSEC-2026-0141 lettre High (CVSS 4.0 AV:N/AC:L) 0.11.19 >= 0.11.22 Inverted-boolean bug silently disables TLS hostname verification when using the boring-tls backend, enabling SMTP MITM. Affects 0.10.1–0.11.21. Note: this project does not explicitly enable boring-tls; upgrade is still strongly recommended as a precaution.
RUSTSEC-2026-0097 rand Unsound (memory safety) 0.10.0 >= 0.10.1 Aliased mutable reference / UB when a custom log logger calls rand::rng() during reseeding (with log + thread_rng features enabled).

Outdated packages

Package Current Latest Bump type Notes
lettre 0.11.19 0.11.22 patch See security advisory above
rand 0.10.0 0.10.1 patch See security advisory above
tokio 1.48.0 1.52.3 patch
uuid 1.18.1 1.23.4 minor
reqwest 0.13.0 0.13.4 patch
serde_json 1.0.145 1.0.150 patch
chrono 0.4.42 0.4.45 patch
log 0.4.28 0.4.33 patch
url 2.5.7 2.5.8 patch
tokio-util 0.7.17 0.7.18 patch
minreq 2.14.1 3.0.0 major Review changelog and API changes before upgrading

Worker instructions

  • Fix all CVEs first, in severity order (critical→high→medium→low). Every CVE must be resolved in this PR.
    • lettre: bump to "0.11.22" in Cargo.toml
    • rand: bump to "0.10.1" in Cargo.toml
  • Then all minor/patch bumps. Evaluate majors individually (update + refactor; do not skip majors).
    • minreq is a major bump (2.x → 3.x): read the changelog, adapt call sites if needed.
  • Note: cargo-outdated and cargo-audit were not installed in the scan environment; use cargo update and verify Cargo.lock reflects latest versions. Run cargo audit if you can install it via cargo install cargo-audit.
  • Build + run full local test suite after each batch (cargo fmt --check && cargo clippy -- -D warnings && cargo test); fix any compile/test failures.
  • Create a DRAFT PR once local tests pass. Title: chore: update dependencies. Assign reviewer rubenhensen.
  • Include the following on its own line in the PR body: Closes #<this issue number>
  • Monitor CI (gh pr checks --watch); fix CI failures (fmt, clippy, test); when green: gh pr ready.
  • If no test suite exists, note that in the PR body.

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependenciesPull requests that update a dependency file

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions