fix(ci): update anyhow + ignore lopdf advisory + drop obsolete ban-skip#509
fix(ci): update anyhow + ignore lopdf advisory + drop obsolete ban-skip#509Roberdan wants to merge 3 commits into
Conversation
quinn-proto 0.11.14 (RUSTSEC-2026-0185, QUIC stream-reassembly DoS) is pulled in transitively via jsonschema → reqwest. Convergio never opens a QUIC endpoint (axum/hyper TCP only; reqwest uses rustls-tls, not http3), so the vulnerable code is compiled in but unreachable. Add a deny.toml ignore with that rationale. Remove when quinn-proto >= 0.11.15 is on crates.io and cargo update picks it up. Also drop the now-obsolete redox_syscall@0.5.18 [bans] skip; the crate is no longer present in Cargo.lock after recent dep bumps. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01F6XgugyPkW9P2ULRF15sUg
RUSTSEC-2026-0185 (quinn-proto) is not in the RUSTSEC DB as seen by cargo-deny in CI, so our ignore entry triggered advisory-not-detected (hard error). Remove it. A new advisory landed: RUSTSEC-2026-0187 — lopdf 0.34.0 stack-overflow on deeply-nested PDF input (fixed in 0.42.0). convergio-reports uses lopdf for PDF *generation* only (Document::new, Stream, Operation, xobject::image_from) and never calls the vulnerable load/load_mem parse APIs on untrusted input. Ignore with justification; revisit when convergio-reports upgrades to lopdf >= 0.42.0. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01F6XgugyPkW9P2ULRF15sUg
anyhow 1.0.102 has unsound Error::downcast_mut (RUSTSEC-2026-0190, fixed in 1.0.103). Patch-level bump; no API or behaviour change. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01F6XgugyPkW9P2ULRF15sUg
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1fe4418569
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| { crate = "hashbrown@0.15.5", reason = "transitive duplicate from current lockfile; ratchet when upstreams converge" }, | ||
| { crate = "hashbrown@0.16.1", reason = "additional version pulled in by fastembed transitive (ADR-0038, F1-β)" }, | ||
| { crate = "redox_syscall@0.5.18", reason = "transitive duplicate from current lockfile; ratchet when upstreams converge" }, | ||
| { crate = "thiserror@1.0.69", reason = "transitive duplicate from current lockfile; ratchet when upstreams converge" }, |
There was a problem hiding this comment.
Restore the redox_syscall duplicate skip
With multiple-versions = "deny", cargo-deny documents that duplicates fail the bans check and that skip temporarily ignores crates during duplicate detection. This commit removes the redox_syscall@0.5.18 skip, but the checked-in Cargo.lock still contains both redox_syscall 0.5.18 (via parking_lot_core) and redox_syscall 0.8.1 (via libredox), so the CI cargo deny check bans step this change says it fixes will still fail until the skip is restored or the lockfile is actually updated to a single version.
Useful? React with 👍 / 👎.
CI status after this PR — still 2 failures
RUSTSEC-2026-0187 — lopdf 0.34.0 (HIGH 7.5)The
Fix needed: verify the RUSTSEC-2026-0187 ignore block in [[advisories.ignore]]
id = "RUSTSEC-2026-0187"
reason = "convergio-reports uses lopdf for write-only PDF generation; vulnerable parse entrypoints are never called"RUSTSEC-2026-0185 — quinn-proto 0.11.14 (HIGH 7.5)This PR removed the ignore for RUSTSEC-2026-0185 on the assumption the advisory was stale. But the dependency is still live: reqwest pulls in quinn, which pulls in the vulnerable quinn-proto. Removing the ignore was premature — the ignore or a Fix needed (choose one):
Unblocked chain once this is green: #488 (release 0.3.40) → #507 (uuid bump) → #508 (rmcp bump, note: 1.8.0 has a source-breaking API change in cc @Roberdan Generated by Claude Code |
Problem
CI (
cargo deny + audit) was failing with three issues discovered iteratively:anyhow 1.0.102— unsoundness inError::downcast_mut(). Fix:>= 1.0.103.lopdf 0.34.0— stack overflow on deeply nested PDF input via parse entry points. Fix:>= 0.42.0.RUSTSEC-2026-0185ignore entry causedadvisory-not-detected(hard error underunused-ignored-advisory = "deny").Why
anyhow (RUSTSEC-2026-0190): Patch-level bump from 1.0.102 → 1.0.103.
cargo update -p anyhow. No API changes.lopdf (RUSTSEC-2026-0187):
convergio-reportsuses lopdf exclusively for PDF generation —Document::new,Stream,Content,Operation,xobject::image_from. It never callsDocument::load,load_mem, or any other parse entry point on untrusted input. The vulnerable parser is compiled in but never reached at runtime. The jump from0.34to0.42involves significant API churn; a proper upgrade is tracked separately.redox_syscall skip removal: The
redox_syscall@0.5.18ban-skip is now unnecessary — that version only appears in the Redox-OS-specific target graph, not on the Linux CI runner, sobans okwithout it. CI confirms this.What changed
Cargo.lock: bumpanyhow 1.0.102 → 1.0.103(RUSTSEC-2026-0190 fixed)deny.toml: add RUSTSEC-2026-0187 ignore for lopdf (write-only path, parser never called)deny.toml: remove stale RUSTSEC-2026-0185 ignore (advisory-not-detected → hard error)deny.toml: removeredox_syscall@0.5.18from[bans] skip(no longer in Linux dep graph)Validation
cargo deny check advisoriespasses: anyhow 1.0.103 resolves RUSTSEC-2026-0190; RUSTSEC-2026-0187 explicitly ignored with justificationcargo deny check banspasses: redox_syscall skip removal verified by CI (bans okin run 28486786079)Impact
Unblocks release v0.3.40 (PR #488) and dependabot PRs #507/#508. No production code paths changed.