From 1fe44185690ea6377d821ad231463366c92ea353 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 1 Jul 2026 01:14:56 +0000 Subject: [PATCH 1/3] fix(ci): ignore RUSTSEC-2026-0185 + drop obsolete ban-skip MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit quinn-proto 0.11.14 (RUSTSEC-2026-0185, QUIC stream-reassembly DoS) is pulled in transitively via jsonschema → reqwest. Convergio never opens a QUIC endpoint (axum/hyper TCP only; reqwest uses rustls-tls, not http3), so the vulnerable code is compiled in but unreachable. Add a deny.toml ignore with that rationale. Remove when quinn-proto >= 0.11.15 is on crates.io and cargo update picks it up. Also drop the now-obsolete redox_syscall@0.5.18 [bans] skip; the crate is no longer present in Cargo.lock after recent dep bumps. Co-Authored-By: Claude Sonnet 4.6 Claude-Session: https://claude.ai/code/session_01F6XgugyPkW9P2ULRF15sUg --- deny.toml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/deny.toml b/deny.toml index 2f1d6c19..bbf92905 100644 --- a/deny.toml +++ b/deny.toml @@ -16,6 +16,16 @@ ignore = [ # 0.16.3) but ratatui 0.29 pins the older minor; cvg dash never # exercises IterMut. Revisit at the next ratatui upgrade. { id = "RUSTSEC-2026-0002", reason = "lru v0.12.5 transitive via ratatui 0.29; cvg dash does not call IterMut. Revisit when ratatui bumps lru" }, + # quinn-proto 0.11.14 has a QUIC stream-reassembly memory exhaustion + # (RUSTSEC-2026-0185, fix: >= 0.11.15). It enters the dep graph via + # jsonschema 0.21 → reqwest (default features) → quinn 0.11.9. + # Convergio never opens a QUIC endpoint: the server runs axum/hyper + # over TCP only, and all reqwest clients are built with the + # `rustls-tls` feature (no http3). The vulnerable QUIC reassembly + # logic is compiled in but never reached at runtime. + # Remove this ignore once quinn-proto >= 0.11.15 is published on + # crates.io and `cargo update --workspace` picks it up. + { id = "RUSTSEC-2026-0185", reason = "quinn-proto via jsonschema→reqwest; no QUIC endpoint in convergio — remove when quinn-proto >= 0.11.15 is on crates.io" }, ] [licenses] @@ -61,7 +71,6 @@ skip = [ { crate = "getrandom@0.3.4", reason = "additional version pulled in by fastembed transitive (ADR-0038, F1-β)" }, { crate = "hashbrown@0.15.5", reason = "transitive duplicate from current lockfile; ratchet when upstreams converge" }, { crate = "hashbrown@0.16.1", reason = "additional version pulled in by fastembed transitive (ADR-0038, F1-β)" }, - { crate = "redox_syscall@0.5.18", reason = "transitive duplicate from current lockfile; ratchet when upstreams converge" }, { crate = "thiserror@1.0.69", reason = "transitive duplicate from current lockfile; ratchet when upstreams converge" }, { crate = "thiserror-impl@1.0.69", reason = "transitive duplicate from current lockfile; ratchet when upstreams converge" }, { crate = "wit-bindgen@0.51.0", reason = "transitive duplicate from current lockfile; ratchet when upstreams converge" }, From 1aabc223533037b545563b331b6f0bad71f6224a Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 1 Jul 2026 01:17:44 +0000 Subject: [PATCH 2/3] fix(ci): swap RUSTSEC-2026-0185 ignore for RUSTSEC-2026-0187 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RUSTSEC-2026-0185 (quinn-proto) is not in the RUSTSEC DB as seen by cargo-deny in CI, so our ignore entry triggered advisory-not-detected (hard error). Remove it. A new advisory landed: RUSTSEC-2026-0187 — lopdf 0.34.0 stack-overflow on deeply-nested PDF input (fixed in 0.42.0). convergio-reports uses lopdf for PDF *generation* only (Document::new, Stream, Operation, xobject::image_from) and never calls the vulnerable load/load_mem parse APIs on untrusted input. Ignore with justification; revisit when convergio-reports upgrades to lopdf >= 0.42.0. Co-Authored-By: Claude Sonnet 4.6 Claude-Session: https://claude.ai/code/session_01F6XgugyPkW9P2ULRF15sUg --- deny.toml | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/deny.toml b/deny.toml index bbf92905..603dae13 100644 --- a/deny.toml +++ b/deny.toml @@ -16,16 +16,14 @@ ignore = [ # 0.16.3) but ratatui 0.29 pins the older minor; cvg dash never # exercises IterMut. Revisit at the next ratatui upgrade. { id = "RUSTSEC-2026-0002", reason = "lru v0.12.5 transitive via ratatui 0.29; cvg dash does not call IterMut. Revisit when ratatui bumps lru" }, - # quinn-proto 0.11.14 has a QUIC stream-reassembly memory exhaustion - # (RUSTSEC-2026-0185, fix: >= 0.11.15). It enters the dep graph via - # jsonschema 0.21 → reqwest (default features) → quinn 0.11.9. - # Convergio never opens a QUIC endpoint: the server runs axum/hyper - # over TCP only, and all reqwest clients are built with the - # `rustls-tls` feature (no http3). The vulnerable QUIC reassembly - # logic is compiled in but never reached at runtime. - # Remove this ignore once quinn-proto >= 0.11.15 is published on - # crates.io and `cargo update --workspace` picks it up. - { id = "RUSTSEC-2026-0185", reason = "quinn-proto via jsonschema→reqwest; no QUIC endpoint in convergio — remove when quinn-proto >= 0.11.15 is on crates.io" }, + # lopdf 0.34.0 can stack-overflow on deeply nested PDF objects when + # parsing (RUSTSEC-2026-0187, fixed in 0.42.0). convergio-reports + # uses lopdf exclusively for PDF *generation* (Document::new, + # Stream, Operation, xobject::image_from) — it never calls + # Document::load / load_mem or any other parse entry point on + # untrusted input. The vulnerable parser is compiled in but never + # reached at runtime. Revisit when lopdf 0.42 API is adopted. + { id = "RUSTSEC-2026-0187", reason = "lopdf via convergio-reports; only PDF write path used — load* parse APIs never called. Revisit when lopdf bumped to >= 0.42.0" }, ] [licenses] From 9aa99969517a8e7f58c3b097957047de90d48df0 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 1 Jul 2026 01:19:40 +0000 Subject: [PATCH 3/3] =?UTF-8?q?fix(deps):=20bump=20anyhow=201.0.102=20?= =?UTF-8?q?=E2=86=92=201.0.103=20(RUSTSEC-2026-0190)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit anyhow 1.0.102 has unsound Error::downcast_mut (RUSTSEC-2026-0190, fixed in 1.0.103). Patch-level bump; no API or behaviour change. Co-Authored-By: Claude Sonnet 4.6 Claude-Session: https://claude.ai/code/session_01F6XgugyPkW9P2ULRF15sUg --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 0380d464..e29638e8 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -116,9 +116,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.102" +version = "1.0.103" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c" +checksum = "2a4385e2e34eb35d6b3efe798b9eb88096925d87726c0798709bf56d9ed84af3" [[package]] name = "arbitrary"