Commit 0602294
fix(deps): bump rustls-webpki / tar / lru to clear RUSTSEC advisories
Three quick-win security bumps grouped into one PR — found via
`cargo audit` during the 0.10.43 verification audit.
## Cleared
- **RUSTSEC-2026-0049/0098/0099/0104** — rustls-webpki 0.103.9 → 0.103.13
Pulled transitively via ureq/hf-hub/reqwest. Semver-compatible bump
via `cargo update`, no Cargo.toml change.
- **RUSTSEC-2026-0067/0068** (medium 5.1) — tar 0.4.44 → 0.4.45
Direct dep in icm-cli (release artifact packaging). Pinned to
`tar = "0.4.45"` in workspace Cargo.toml to make the floor explicit.
- **RUSTSEC-2026-0002** (unsound IterMut) — lru 0.12 → 0.18
Direct dep in icm-store added in #167 for the recall LRU cache.
Bumped to 0.18 (the latest stable) since both 0.13 and 0.16 still
carried the advisory; 0.18 is the first version listed as
unaffected. Our usage is `get`/`put`/`pop`/`clear` — the unsound
`IterMut` path was never on the hot path here, but the bump
removes the lint regardless.
## Remaining warnings (out of scope, transitive)
- `lru 0.12.5` still pulled by `ratatui 0.29.0`. Bumping ratatui is
bigger than this PR. Our usage is in icm-store, which now uses
0.18.
- `paste 1.0.15` (unmaintained), `core2 0.4.0` (yanked) — both via
fastembed/ratatui transitively. Same reasoning.
## Test plan
- [x] `cargo audit` no longer flags any direct dep
- [x] `cargo build --workspace` clean
- [x] `cargo fmt --all -- --check` clean
- [x] `cargo clippy --workspace --all-targets -- -D warnings` clean
- [x] `cargo test --release --workspace` 339+ passed
- The debug-build `perf_fts_search_100` test is parallelism-sensitive
on local — passes in release mode and on CI defaults. Not a
regression from this PR (same test was flaky before, baseline
confirmed).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>1 parent 7a4c4b4 commit 0602294
2 files changed
Lines changed: 35 additions & 9 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
44 | 44 | | |
45 | 45 | | |
46 | 46 | | |
47 | | - | |
| 47 | + | |
48 | 48 | | |
49 | 49 | | |
50 | 50 | | |
51 | 51 | | |
52 | 52 | | |
53 | 53 | | |
54 | | - | |
| 54 | + | |
55 | 55 | | |
56 | 56 | | |
57 | 57 | | |
| |||
0 commit comments