You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Inverted-boolean bug silently disables TLS hostname verification when using the boring-tls backend, enabling SMTP MITM. Affects 0.10.1–0.11.21. Note: this project does not explicitly enable boring-tls; upgrade is still strongly recommended as a precaution.
Aliased mutable reference / UB when a custom log logger calls rand::rng() during reseeding (with log + thread_rng features enabled).
Outdated packages
Package
Current
Latest
Bump type
Notes
lettre
0.11.19
0.11.22
patch
See security advisory above
rand
0.10.0
0.10.1
patch
See security advisory above
tokio
1.48.0
1.52.3
patch
uuid
1.18.1
1.23.4
minor
reqwest
0.13.0
0.13.4
patch
serde_json
1.0.145
1.0.150
patch
chrono
0.4.42
0.4.45
patch
log
0.4.28
0.4.33
patch
url
2.5.7
2.5.8
patch
tokio-util
0.7.17
0.7.18
patch
minreq
2.14.1
3.0.0
major
Review changelog and API changes before upgrading
Worker instructions
Fix all CVEs first, in severity order (critical→high→medium→low). Every CVE must be resolved in this PR.
lettre: bump to "0.11.22" in Cargo.toml
rand: bump to "0.10.1" in Cargo.toml
Then all minor/patch bumps. Evaluate majors individually (update + refactor; do not skip majors).
minreq is a major bump (2.x → 3.x): read the changelog, adapt call sites if needed.
Note: cargo-outdated and cargo-audit were not installed in the scan environment; use cargo update and verify Cargo.lock reflects latest versions. Run cargo audit if you can install it via cargo install cargo-audit.
Build + run full local test suite after each batch (cargo fmt --check && cargo clippy -- -D warnings && cargo test); fix any compile/test failures.
Create a DRAFT PR once local tests pass. Title: chore: update dependencies. Assign reviewer rubenhensen.
Include the following on its own line in the PR body: Closes #<this issue number>
Monitor CI (gh pr checks --watch); fix CI failures (fmt, clippy, test); when green: gh pr ready.
If no test suite exists, note that in the PR body.
Security vulnerabilities (fix first)
boring-tlsbackend, enabling SMTP MITM. Affects 0.10.1–0.11.21. Note: this project does not explicitly enableboring-tls; upgrade is still strongly recommended as a precaution.loglogger callsrand::rng()during reseeding (withlog+thread_rngfeatures enabled).Outdated packages
Worker instructions
lettre: bump to"0.11.22"in Cargo.tomlrand: bump to"0.10.1"in Cargo.tomlminreqis a major bump (2.x → 3.x): read the changelog, adapt call sites if needed.cargo-outdatedandcargo-auditwere not installed in the scan environment; usecargo updateand verify Cargo.lock reflects latest versions. Runcargo auditif you can install it viacargo install cargo-audit.cargo fmt --check && cargo clippy -- -D warnings && cargo test); fix any compile/test failures.chore: update dependencies. Assign reviewerrubenhensen.Closes #<this issue number>gh pr checks --watch); fix CI failures (fmt, clippy, test); when green:gh pr ready.