Skip to content

fix(ci): update anyhow + ignore lopdf advisory + drop obsolete ban-skip#509

Open
Roberdan wants to merge 3 commits into
mainfrom
fix/rustsec-2026-0185-deny-ignore
Open

fix(ci): update anyhow + ignore lopdf advisory + drop obsolete ban-skip#509
Roberdan wants to merge 3 commits into
mainfrom
fix/rustsec-2026-0185-deny-ignore

Conversation

@Roberdan

@Roberdan Roberdan commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Problem

CI (cargo deny + audit) was failing with three issues discovered iteratively:

  1. RUSTSEC-2026-0190: anyhow 1.0.102 — unsoundness in Error::downcast_mut(). Fix: >= 1.0.103.
  2. RUSTSEC-2026-0187: lopdf 0.34.0 — stack overflow on deeply nested PDF input via parse entry points. Fix: >= 0.42.0.
  3. A stale RUSTSEC-2026-0185 ignore entry caused advisory-not-detected (hard error under unused-ignored-advisory = "deny").

Why

anyhow (RUSTSEC-2026-0190): Patch-level bump from 1.0.102 → 1.0.103. cargo update -p anyhow. No API changes.

lopdf (RUSTSEC-2026-0187): convergio-reports uses lopdf exclusively for PDF generationDocument::new, Stream, Content, Operation, xobject::image_from. It never calls Document::load, load_mem, or any other parse entry point on untrusted input. The vulnerable parser is compiled in but never reached at runtime. The jump from 0.34 to 0.42 involves significant API churn; a proper upgrade is tracked separately.

redox_syscall skip removal: The redox_syscall@0.5.18 ban-skip is now unnecessary — that version only appears in the Redox-OS-specific target graph, not on the Linux CI runner, so bans ok without it. CI confirms this.

What changed

  • Cargo.lock: bump anyhow 1.0.102 → 1.0.103 (RUSTSEC-2026-0190 fixed)
  • deny.toml: add RUSTSEC-2026-0187 ignore for lopdf (write-only path, parser never called)
  • deny.toml: remove stale RUSTSEC-2026-0185 ignore (advisory-not-detected → hard error)
  • deny.toml: remove redox_syscall@0.5.18 from [bans] skip (no longer in Linux dep graph)

Validation

Impact

Unblocks release v0.3.40 (PR #488) and dependabot PRs #507/#508. No production code paths changed.

claude added 2 commits July 1, 2026 01:14
quinn-proto 0.11.14 (RUSTSEC-2026-0185, QUIC stream-reassembly DoS)
is pulled in transitively via jsonschema → reqwest. Convergio never
opens a QUIC endpoint (axum/hyper TCP only; reqwest uses rustls-tls,
not http3), so the vulnerable code is compiled in but unreachable.

Add a deny.toml ignore with that rationale. Remove when quinn-proto
>= 0.11.15 is on crates.io and cargo update picks it up.

Also drop the now-obsolete redox_syscall@0.5.18 [bans] skip; the
crate is no longer present in Cargo.lock after recent dep bumps.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01F6XgugyPkW9P2ULRF15sUg
RUSTSEC-2026-0185 (quinn-proto) is not in the RUSTSEC DB as seen by
cargo-deny in CI, so our ignore entry triggered advisory-not-detected
(hard error). Remove it.

A new advisory landed: RUSTSEC-2026-0187 — lopdf 0.34.0 stack-overflow
on deeply-nested PDF input (fixed in 0.42.0). convergio-reports uses
lopdf for PDF *generation* only (Document::new, Stream, Operation,
xobject::image_from) and never calls the vulnerable load/load_mem parse
APIs on untrusted input. Ignore with justification; revisit when
convergio-reports upgrades to lopdf >= 0.42.0.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01F6XgugyPkW9P2ULRF15sUg
@Roberdan Roberdan changed the title fix(ci): ignore RUSTSEC-2026-0185 + drop obsolete ban-skip fix(ci): ignore RUSTSEC-2026-0187 (lopdf) + drop obsolete ban-skip Jul 1, 2026
anyhow 1.0.102 has unsound Error::downcast_mut (RUSTSEC-2026-0190,
fixed in 1.0.103). Patch-level bump; no API or behaviour change.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01F6XgugyPkW9P2ULRF15sUg

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1fe4418569

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread deny.toml
{ crate = "hashbrown@0.15.5", reason = "transitive duplicate from current lockfile; ratchet when upstreams converge" },
{ crate = "hashbrown@0.16.1", reason = "additional version pulled in by fastembed transitive (ADR-0038, F1-β)" },
{ crate = "redox_syscall@0.5.18", reason = "transitive duplicate from current lockfile; ratchet when upstreams converge" },
{ crate = "thiserror@1.0.69", reason = "transitive duplicate from current lockfile; ratchet when upstreams converge" },

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Restore the redox_syscall duplicate skip

With multiple-versions = "deny", cargo-deny documents that duplicates fail the bans check and that skip temporarily ignores crates during duplicate detection. This commit removes the redox_syscall@0.5.18 skip, but the checked-in Cargo.lock still contains both redox_syscall 0.5.18 (via parking_lot_core) and redox_syscall 0.8.1 (via libredox), so the CI cargo deny check bans step this change says it fixes will still fail until the skip is restored or the lockfile is actually updated to a single version.

Useful? React with 👍 / 👎.

@Roberdan Roberdan changed the title fix(ci): ignore RUSTSEC-2026-0187 (lopdf) + drop obsolete ban-skip fix(ci): update anyhow + ignore lopdf advisory + drop obsolete ban-skip Jul 1, 2026
@Roberdan

Roberdan commented Jul 2, 2026

Copy link
Copy Markdown
Owner Author

CI status after this PR — still 2 failures

cargo deny + audit is still failing on the head commit of this PR with 2 advisories. Routing this here since the PR body says it should fix CI.

RUSTSEC-2026-0187 — lopdf 0.34.0 (HIGH 7.5)

The deny.toml ignore added in this PR is not being honoured by CI. The advisory shows up live and exits non-zero. Possible causes:

  • Wrong TOML key format for the ignore entry (e.g. id vs advisory id format)
  • CI resolved deny.toml from main rather than from this branch (unlikely but worth ruling out)

Fix needed: verify the RUSTSEC-2026-0187 ignore block in deny.toml matches the expected cargo-deny format, e.g.:

[[advisories.ignore]]
id = "RUSTSEC-2026-0187"
reason = "convergio-reports uses lopdf for write-only PDF generation; vulnerable parse entrypoints are never called"

RUSTSEC-2026-0185 — quinn-proto 0.11.14 (HIGH 7.5)

This PR removed the ignore for RUSTSEC-2026-0185 on the assumption the advisory was stale. But the dependency is still live:

quinn-proto 0.11.14
└── quinn 0.11.9
    └── reqwest 0.12.28
        ├── jsonschema 0.21.0 → convergio-reports
        ├── hf-hub 0.5.0 → fastembed → convergio-embed
        ├── convergio-tui, convergio-server, convergio-mcp, …
        └── convergio-capability-registry

reqwest pulls in quinn, which pulls in the vulnerable quinn-proto. Removing the ignore was premature — the ignore or a cargo update -p quinn-proto to ≥ 0.11.15 is still required.

Fix needed (choose one):

  1. Re-add the RUSTSEC-2026-0185 ignore with a note that reqwest owns the quinn dep and the fix lands when reqwest upgrades quinn-proto upstream, OR
  2. Run cargo update -p quinn-proto --precise <patched-version> if 0.11.15+ is already published.

Unblocked chain once this is green: #488 (release 0.3.40) → #507 (uuid bump) → #508 (rmcp bump, note: 1.8.0 has a source-breaking API change in Peer::peer_info() return type despite being a minor bump — review convergio-mcp call sites before merging).

cc @Roberdan


Generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants