fix(deps): bump rustls-webpki / tar / lru to clear RUSTSEC advisories#175
Merged
pszymkowiak merged 1 commit intodevelopfrom May 2, 2026
Merged
fix(deps): bump rustls-webpki / tar / lru to clear RUSTSEC advisories#175pszymkowiak merged 1 commit intodevelopfrom
pszymkowiak merged 1 commit intodevelopfrom
Conversation
Three quick-win security bumps grouped into one PR — found via `cargo audit` during the 0.10.43 verification audit. ## Cleared - **RUSTSEC-2026-0049/0098/0099/0104** — rustls-webpki 0.103.9 → 0.103.13 Pulled transitively via ureq/hf-hub/reqwest. Semver-compatible bump via `cargo update`, no Cargo.toml change. - **RUSTSEC-2026-0067/0068** (medium 5.1) — tar 0.4.44 → 0.4.45 Direct dep in icm-cli (release artifact packaging). Pinned to `tar = "0.4.45"` in workspace Cargo.toml to make the floor explicit. - **RUSTSEC-2026-0002** (unsound IterMut) — lru 0.12 → 0.18 Direct dep in icm-store added in #167 for the recall LRU cache. Bumped to 0.18 (the latest stable) since both 0.13 and 0.16 still carried the advisory; 0.18 is the first version listed as unaffected. Our usage is `get`/`put`/`pop`/`clear` — the unsound `IterMut` path was never on the hot path here, but the bump removes the lint regardless. ## Remaining warnings (out of scope, transitive) - `lru 0.12.5` still pulled by `ratatui 0.29.0`. Bumping ratatui is bigger than this PR. Our usage is in icm-store, which now uses 0.18. - `paste 1.0.15` (unmaintained), `core2 0.4.0` (yanked) — both via fastembed/ratatui transitively. Same reasoning. ## Test plan - [x] `cargo audit` no longer flags any direct dep - [x] `cargo build --workspace` clean - [x] `cargo fmt --all -- --check` clean - [x] `cargo clippy --workspace --all-targets -- -D warnings` clean - [x] `cargo test --release --workspace` 339+ passed - The debug-build `perf_fts_search_100` test is parallelism-sensitive on local — passes in release mode and on CI defaults. Not a regression from this PR (same test was flaky before, baseline confirmed). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Three quick-win security bumps grouped into one PR — found via `cargo audit` during the 0.10.43 post-release verification audit.
Cleared CVEs / advisories
Notes on lru bump
Remaining warnings (out of scope)
`paste 1.0.15` (unmaintained, via fastembed/ratatui), `core2 0.4.0` (yanked, via flate2 chain), `number_prefix` (unmaintained, via indicatif). All transitive; addressing them requires upstream releases or upstream-dep version bumps that need their own PRs.
Test plan
🤖 Generated with Claude Code