fix: patch assistsupport rust advisories#190
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8dbe0d4829
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - `lancedb` upgraded to `0.30.0`, removing vulnerable `lru`. | ||
| - `rand` resolved to patched `0.8.6`. |
There was a problem hiding this comment.
Remove resolved RustSec waivers
These remediation notes say lru and the vulnerable rand path are gone, and I checked the new src-tauri/Cargo.lock has no lru package and no rand 0.7.3; however scripts/security/run-cargo-audit.sh still passes --ignore RUSTSEC-2026-0002 and --ignore RUSTSEC-2026-0097. Because cargo audit --ignore suppresses those advisory IDs, the required pnpm run test:security:audit:rust gate would stay green if a future lockfile update reintroduced either vulnerability, so the fix should drop the stale ignores when declaring them remediated.
Useful? React with 👍 / 👎.
| - `lancedb` upgraded to `0.30.0`, removing vulnerable `lru`. | ||
| - `rand` resolved to patched `0.8.6`. | ||
| - `quinn-proto`, `anyhow`, and `memmap2` patch updates applied for newly published RustSec advisories. | ||
| - `quick-xml` advisories `RUSTSEC-2026-0194` and `RUSTSEC-2026-0195` are temporarily waived for constrained `calamine` and Tauri/plist transitive paths. |
There was a problem hiding this comment.
Add an expiry to the new quick-xml waiver
This adds temporary quick-xml waivers, but this same baseline's Policy section requires every temporary Rust waiver to include owner, issue, expiry, and rationale; the new RUSTSEC-2026-0194/0195 entries include an owner/issue/rationale but no expiry, and the audit script's review date remains 2026-03-09. Without an expiry, these DoS advisories can remain suppressed indefinitely rather than being forced back through triage.
Useful? React with 👍 / 👎.
Summary
lrupathquinn-proto,anyhow,memmap2, and Tauri build tooling so oldrandis gonecalamineand Tauri/plist pathsLockfile rationale
This PR intentionally updates
src-tauri/Cargo.lockto resolve Dependabot/RustSec advisory paths while keeping runtime manifests narrow.lancedbmoves to0.30.0because it removeslruwithout adding the extraquick-xml 0.26chain present in0.31.0. The Tauri utility/tooling patch updates remove the oldrand 0.7.3build-time path.Verification
cd src-tauri && cargo check --lockedpnpm run test:security:audit:rustcd src-tauri && cargo tree -i lru --lockedreports no packagecd src-tauri && cargo tree --target all -i rand@0.7.3 --lockedreports no package