FerrLabs · BryanFRD · May 24, 2026 · May 24, 2026 · May 24, 2026 · May 24, 2026
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -34,7 +34,7 @@ workspace = true
 
 [features]
 default = ["cli"]
-cli = ["dep:gix", "dep:gix-traverse", "dep:ureq", "dep:clap", "dep:clap_complete", "dep:colored", "dep:hmac"]
+cli = ["dep:gix", "dep:gix-traverse", "dep:ureq", "dep:clap", "dep:clap_complete", "dep:colored", "dep:hmac", "dep:mimalloc"]
 
 [dependencies]
 serde = { version = "1", features = ["derive"] }
@@ -57,6 +57,10 @@ ureq = { version = "3", features = ["json"], optional = true }
 sha2 = "0.11.0"
 hex = "0.4.3"
 hmac = { version = "0.13", optional = true }
+# mimalloc: faster allocator for the CLI hot paths (TagIndex::build,
+# revwalk, regex captures). Typical 5-15% wall-time win on alloc-heavy
+# workloads — see #507. CLI-only (no value for the wasm build).
+mimalloc = { version = "0.1", default-features = false, optional = true }
 # tempfile is used at runtime by the TS config loader to drop the
 # generated wrapper script in a directory we own (security: writing into
 # the user's config directory is a symlink TOCTOU). Tests also use it.

diff --git a/deny.toml b/deny.toml
@@ -34,7 +34,18 @@ exceptions = []
 multiple-versions = "warn"
 wildcards = "deny"
 allow-wildcard-paths = true
-deny = []
+deny = [
+    # We migrated off libgit2 in #487. Reintroducing git2 / libgit2-sys
+    # silently re-adds ~3 MB to the release binary plus libgit2's CVE
+    # surface. Keep them banned.
+    { crate = "git2", reason = "Use gix (gitoxide) — see #487." },
+    { crate = "libgit2-sys", reason = "Pulled in only via git2 which is banned." },
+    # OpenSSL was vendored via the libgit2 chain. The gix migration
+    # removed it; if someone reintroduces it the binary jumps from
+    # ~5 MB to ~9 MB and we inherit OpenSSL's CVE cadence. Use rustls.
+    { crate = "openssl-sys", reason = "Use rustls (via gix / ureq) instead." },
+    { crate = "openssl-src", reason = "Vendoring OpenSSL bloats the binary." },
+]
 skip = []
 skip-tree = []
 

diff --git a/src/forge/github.rs b/src/forge/github.rs
@@ -7,6 +7,7 @@ pub struct GitHubForge {
     pub token: String,
     pub slug: String,
     pub api_base: String,
+    pub agent: ureq::Agent,
 }
 
 impl Forge for GitHubForge {
@@ -31,7 +32,8 @@ impl Forge for GitHubForge {
             payload["target_commitish"] = serde_json::Value::String(sha.to_string());
         }
 
-        ureq::post(&url)
+        self.agent
+            .post(&url)
             .header("Authorization", &format!("Bearer {}", self.token))
             .header("Accept", "application/vnd.github+json")
             .header("X-GitHub-Api-Version", "2022-11-28")
@@ -46,7 +48,9 @@ impl Forge for GitHubForge {
     fn find_draft_release(&self, tag: &str) -> Result<Option<u64>> {
         let url = format!("{}/repos/{}/releases", self.api_base, self.slug);
 
-        let response: serde_json::Value = ureq::get(&url)
+        let response: serde_json::Value = self
+            .agent
+            .get(&url)
             .header("Authorization", &format!("Bearer {}", self.token))
             .header("Accept", "application/vnd.github+json")
             .header("X-GitHub-Api-Version", "2022-11-28")
@@ -83,7 +87,8 @@ impl Forge for GitHubForge {
             "draft": false,
         });
 
-        ureq::patch(&url)
+        self.agent
+            .patch(&url)
             .header("Authorization", &format!("Bearer {}", self.token))
             .header("Accept", "application/vnd.github+json")
             .header("X-GitHub-Api-Version", "2022-11-28")
@@ -111,7 +116,9 @@ impl Forge for GitHubForge {
             "base": base,
         });
 
-        let response: serde_json::Value = ureq::post(&url)
+        let response: serde_json::Value = self
+            .agent
+            .post(&url)
             .header("Authorization", &format!("Bearer {}", self.token))
             .header("Accept", "application/vnd.github+json")
             .header("X-GitHub-Api-Version", "2022-11-28")
@@ -148,7 +155,9 @@ impl Forge for GitHubForge {
         });
 
         let graphql_url = format!("{}/graphql", self.api_base);
-        let response: serde_json::Value = ureq::post(&graphql_url)
+        let response: serde_json::Value = self
+            .agent
+            .post(&graphql_url)
             .header("Authorization", &format!("Bearer {}", self.token))
             .header("User-Agent", "ferrflow")
             .send_json(query)
@@ -183,7 +192,9 @@ impl Forge for GitHubForge {
             "{}/repos/{}/issues/{}/comments?per_page=100",
             self.api_base, self.slug, pr_id
         );
-        let comments: Vec<serde_json::Value> = ureq::get(&url)
+        let comments: Vec<serde_json::Value> = self
+            .agent
+            .get(&url)
             .header("Authorization", &format!("Bearer {}", self.token))
             .header("Accept", "application/vnd.github+json")
             .header("User-Agent", "ferrflow")
@@ -209,7 +220,8 @@ impl Forge for GitHubForge {
             "{}/repos/{}/issues/{}/comments",
             self.api_base, self.slug, pr_id
         );
-        ureq::post(&url)
+        self.agent
+            .post(&url)
             .header("Authorization", &format!("Bearer {}", self.token))
             .header("Accept", "application/vnd.github+json")
             .header("User-Agent", "ferrflow")
@@ -223,7 +235,8 @@ impl Forge for GitHubForge {
             "{}/repos/{}/issues/comments/{}",
             self.api_base, self.slug, comment_id
         );
-        ureq::patch(&url)
+        self.agent
+            .patch(&url)
             .header("Authorization", &format!("Bearer {}", self.token))
             .header("Accept", "application/vnd.github+json")
             .header("User-Agent", "ferrflow")
@@ -242,6 +255,7 @@ mod tests {
             token: "test-token".to_string(),
             slug: "owner/repo".to_string(),
             api_base: "https://api.github.com".to_string(),
+            agent: ureq::Agent::new_with_defaults(),
         }
     }
 
@@ -423,6 +437,7 @@ mod tests {
             token: "tok".to_string(),
             slug: "owner/repo".to_string(),
             api_base: "https://github.corp.com/api/v3".to_string(),
+            agent: ureq::Agent::new_with_defaults(),
         };
         assert_eq!(forge.api_base, "https://github.corp.com/api/v3");
     }

diff --git a/src/forge/gitlab.rs b/src/forge/gitlab.rs
@@ -8,6 +8,7 @@ pub struct GitLabForge {
     pub token: String,
     pub slug: String,
     pub api_base: String,
+    pub agent: ureq::Agent,
 }
 
 impl GitLabForge {
@@ -44,7 +45,8 @@ impl Forge for GitLabForge {
             payload["upcoming_release"] = serde_json::json!(true);
         }
 
-        ureq::post(&url)
+        self.agent
+            .post(&url)
             .header("PRIVATE-TOKEN", &self.token)
             .header("User-Agent", "ferrflow")
             .send_json(payload)
@@ -79,7 +81,9 @@ impl Forge for GitLabForge {
             "description": body,
         });
 
-        let response: serde_json::Value = ureq::post(&url)
+        let response: serde_json::Value = self
+            .agent
+            .post(&url)
             .header("PRIVATE-TOKEN", &self.token)
             .header("User-Agent", "ferrflow")
             .send_json(payload)
@@ -113,7 +117,9 @@ impl Forge for GitLabForge {
             "squash": true,
         });
 
-        let result = ureq::put(&url)
+        let result = self
+            .agent
+            .put(&url)
             .header("PRIVATE-TOKEN", &self.token)
             .header("User-Agent", "ferrflow")
             .send_json(payload);
@@ -127,7 +133,8 @@ impl Forge for GitLabForge {
             "should_remove_source_branch": true,
         });
 
-        ureq::put(&url)
+        self.agent
+            .put(&url)
             .header("PRIVATE-TOKEN", &self.token)
             .header("User-Agent", "ferrflow")
             .send_json(payload)
@@ -152,7 +159,9 @@ impl Forge for GitLabForge {
             self.encoded_project_id(),
             mr_id
         );
-        let notes: Vec<serde_json::Value> = ureq::get(&url)
+        let notes: Vec<serde_json::Value> = self
+            .agent
+            .get(&url)
             .header("PRIVATE-TOKEN", &self.token)
             .header("User-Agent", "ferrflow")
             .call()
@@ -179,7 +188,8 @@ impl Forge for GitLabForge {
             self.encoded_project_id(),
             mr_id
         );
-        ureq::post(&url)
+        self.agent
+            .post(&url)
             .header("PRIVATE-TOKEN", &self.token)
             .header("User-Agent", "ferrflow")
             .send_json(serde_json::json!({ "body": body }))
@@ -195,7 +205,8 @@ impl Forge for GitLabForge {
             mr_id,
             comment_id
         );
-        ureq::put(&url)
+        self.agent
+            .put(&url)
             .header("PRIVATE-TOKEN", &self.token)
             .header("User-Agent", "ferrflow")
             .send_json(serde_json::json!({ "body": body }))
@@ -214,6 +225,7 @@ mod tests {
             token: String::new(),
             slug: "owner/repo".to_string(),
             api_base: "https://gitlab.com/api/v4".to_string(),
+            agent: ureq::Agent::new_with_defaults(),
         };
         assert_eq!(forge.encoded_project_id(), "owner%2Frepo");
     }
@@ -224,6 +236,7 @@ mod tests {
             token: String::new(),
             slug: "group/subgroup/repo".to_string(),
             api_base: "https://gitlab.com/api/v4".to_string(),
+            agent: ureq::Agent::new_with_defaults(),
         };
         assert_eq!(forge.encoded_project_id(), "group%2Fsubgroup%2Frepo");
     }
@@ -234,6 +247,7 @@ mod tests {
             token: String::new(),
             slug: "owner/repo".to_string(),
             api_base: "https://gitlab.com/api/v4".to_string(),
+            agent: ureq::Agent::new_with_defaults(),
         };
         assert_eq!(forge.mr_noun(), "MR");
     }
@@ -244,6 +258,7 @@ mod tests {
             token: String::new(),
             slug: "owner/repo".to_string(),
             api_base: "https://gitlab.com/api/v4".to_string(),
+            agent: ureq::Agent::new_with_defaults(),
         };
         assert_eq!(forge.release_noun(), "GitLab Release");
     }
@@ -254,6 +269,7 @@ mod tests {
             token: String::new(),
             slug: "owner/repo".to_string(),
             api_base: "https://gitlab.com/api/v4".to_string(),
+            agent: ureq::Agent::new_with_defaults(),
         };
         assert_eq!(forge.find_draft_release("v1.0.0").unwrap(), None);
     }
@@ -264,6 +280,7 @@ mod tests {
             token: String::new(),
             slug: "owner/repo".to_string(),
             api_base: "https://gitlab.com/api/v4".to_string(),
+            agent: ureq::Agent::new_with_defaults(),
         };
         assert!(forge.publish_release(123).is_ok());
     }
@@ -303,6 +320,7 @@ mod tests {
             token: String::new(),
             slug: "team/project".to_string(),
             api_base: "https://gitlab.internal/api/v4".to_string(),
+            agent: ureq::Agent::new_with_defaults(),
         };
         assert_eq!(forge.api_base, "https://gitlab.internal/api/v4");
     }