Skip to content

fix: patch assistsupport rust advisories#190

Merged
saagpatel merged 2 commits into
masterfrom
codex/fix/assistsupport-lru-advisory
Jul 4, 2026
Merged

fix: patch assistsupport rust advisories#190
saagpatel merged 2 commits into
masterfrom
codex/fix/assistsupport-lru-advisory

Conversation

@saagpatel

Copy link
Copy Markdown
Owner

Summary

  • upgrade LanceDB/Arrow to remove the vulnerable lru path
  • patch Rust advisory drift for quinn-proto, anyhow, memmap2, and Tauri build tooling so old rand is gone
  • keep the Rust audit gate green with scoped quick-xml waivers for upstream-constrained calamine and Tauri/plist paths

Lockfile rationale

This PR intentionally updates src-tauri/Cargo.lock to resolve Dependabot/RustSec advisory paths while keeping runtime manifests narrow. lancedb moves to 0.30.0 because it removes lru without adding the extra quick-xml 0.26 chain present in 0.31.0. The Tauri utility/tooling patch updates remove the old rand 0.7.3 build-time path.

Verification

  • cd src-tauri && cargo check --locked
  • pnpm run test:security:audit:rust
  • cd src-tauri && cargo tree -i lru --locked reports no package
  • cd src-tauri && cargo tree --target all -i rand@0.7.3 --locked reports no package

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8dbe0d4829

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +38 to +39
- `lancedb` upgraded to `0.30.0`, removing vulnerable `lru`.
- `rand` resolved to patched `0.8.6`.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Remove resolved RustSec waivers

These remediation notes say lru and the vulnerable rand path are gone, and I checked the new src-tauri/Cargo.lock has no lru package and no rand 0.7.3; however scripts/security/run-cargo-audit.sh still passes --ignore RUSTSEC-2026-0002 and --ignore RUSTSEC-2026-0097. Because cargo audit --ignore suppresses those advisory IDs, the required pnpm run test:security:audit:rust gate would stay green if a future lockfile update reintroduced either vulnerability, so the fix should drop the stale ignores when declaring them remediated.

Useful? React with 👍 / 👎.

- `lancedb` upgraded to `0.30.0`, removing vulnerable `lru`.
- `rand` resolved to patched `0.8.6`.
- `quinn-proto`, `anyhow`, and `memmap2` patch updates applied for newly published RustSec advisories.
- `quick-xml` advisories `RUSTSEC-2026-0194` and `RUSTSEC-2026-0195` are temporarily waived for constrained `calamine` and Tauri/plist transitive paths.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Add an expiry to the new quick-xml waiver

This adds temporary quick-xml waivers, but this same baseline's Policy section requires every temporary Rust waiver to include owner, issue, expiry, and rationale; the new RUSTSEC-2026-0194/0195 entries include an owner/issue/rationale but no expiry, and the audit script's review date remains 2026-03-09. Without an expiry, these DoS advisories can remain suppressed indefinitely rather than being forced back through triage.

Useful? React with 👍 / 👎.

@saagpatel saagpatel merged commit c849d11 into master Jul 4, 2026
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant