Skip to content

fix: clear RUSTSEC advisories failing the audit workflow#68

Merged
edochi merged 1 commit into
mainfrom
fix/audit-rustsec-advisories
Jul 7, 2026
Merged

fix: clear RUSTSEC advisories failing the audit workflow#68
edochi merged 1 commit into
mainfrom
fix/audit-rustsec-advisories

Conversation

@edochi

@edochi edochi commented Jul 7, 2026

Copy link
Copy Markdown
Owner

The weekly Audit workflow started failing at the cargo deny check step (run 28776138161, 2026-07-06) — the first failure after a long green streak. Lockfile-only bumps of two transitive deps clear the advisories.

Advisories cleared

  • RUSTSEC-2026-0190anyhow 1.0.102 → 1.0.103. Unsoundness in Error::downcast_mut() (borrow-rule violation / UB under Miri when .context() is followed by downcast_mut). Flagged by both cargo audit (warning) and cargo deny (error — this is what failed the job).
  • RUSTSEC-2026-0204crossbeam-epoch 0.9.18 → 0.9.20 (transitive via ignore/rayon). Invalid pointer dereference in the fmt::Pointer impl for Atomic/Shared. Published after the July 6 run, so it surfaced locally when verifying this fix; folding it in here to get the workflow fully green.

Verification

  • cargo deny checkadvisories ok, bans ok, licenses ok, sources ok
  • cargo check --all-targets --features testing-mocks compiles clean

Only Cargo.lock changed (4 lines); no manifest edits — both crates were already pinned with flexible ranges.

anyhow 1.0.102 -> 1.0.103 (RUSTSEC-2026-0190, unsound downcast_mut)
crossbeam-epoch 0.9.18 -> 0.9.20 (RUSTSEC-2026-0204, invalid ptr deref)

Co-Authored-By: Claude <noreply@anthropic.com>
@edochi edochi merged commit dcb4ee9 into main Jul 7, 2026
8 checks passed
@edochi edochi deleted the fix/audit-rustsec-advisories branch July 7, 2026 22:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant