Skip to content

fix(security): RUSTSEC-2024-0436 audit config + 6 npm CVEs in mcp docs server#16

Merged
ruvnet merged 1 commit into
mainfrom
fix/security-audit-2026-05-23
May 23, 2026
Merged

fix(security): RUSTSEC-2024-0436 audit config + 6 npm CVEs in mcp docs server#16
ruvnet merged 1 commit into
mainfrom
fix/security-audit-2026-05-23

Conversation

@ruvnet

@ruvnet ruvnet commented May 23, 2026

Copy link
Copy Markdown
Owner

Security & Quality Fixes

Rust — cargo-audit

RUSTSEC-2024-0436 (paste 1.0.15 — unmaintained, warning-level)

Added .cargo/audit.toml to document and suppress this advisory with full justification. The paste crate has no CVE score (unmaintained warning only). It enters the dependency graph only through the optional rvm-gpu webgpu/metal feature:

rvm-gpu (cuda-rust-wasm, off by default)
  → wgpu → wgpu-hal → metal (macOS only) → paste

No fix is available without an upstream cuda-rust-wasm or wgpu release removing the metal → paste dependency. The ignore entry in .cargo/audit.toml includes a full prose justification so future maintainers understand the rationale.

Rust gate results:

  • cargo audit — clean (exit 0, 0 vulnerabilities, warning suppressed with justification)
  • cargo clippy --workspace --all-targets --no-deps -- -D warnings — clean
  • cargo fmt --all --check — clean
  • cargo test --workspace — 882 tests, 0 failures

Node / npm — userguide/mcp/ docs MCP server

npm audit fix resolved 6 CVEs in transitive dependencies of @modelcontextprotocol/sdk:

Package Severity Advisory Fix
fast-uri <= 3.1.1 HIGH GHSA-q3j6-qgpj-74h6, GHSA-v39h-62p7-jpjc — path traversal + host confusion via percent-encoded segments bumped to 3.1.2
hono <= 4.12.17 MODERATE Multiple: cookie injection, path traversal in toSSG(), middleware bypass, JWT NumericDate, cache leakage, bodyLimit bypass, JSX HTML injection bumped to 4.12.22
@hono/node-server < 1.19.13 MODERATE GHSA-92pp-h63x-v22m — middleware bypass via repeated slashes in serveStatic bumped to 1.19.14
ip-address <= 10.1.0 MODERATE GHSA-v2v4-37r5-5v8g — XSS in Address6 HTML-emitting methods bumped to 10.2.0
express-rate-limit 8.0.1-8.5.0 MODERATE Vulnerable ip-address transitive dep bumped to 8.5.2
qs 6.11.1-6.15.1 MODERATE GHSA-q8mj-m7cp-5q26 — DoS via null entries in comma-format arrays bumped to 6.15.2

npm audit now reports 0 vulnerabilities.


Test plan

  • cargo audit — clean (0 vulnerabilities, exit 0)
  • cargo clippy --workspace --all-targets --no-deps -- -D warnings — clean
  • cargo fmt --all --check — clean (exit 0)
  • cargo test --workspace — 882 tests, 0 failures
  • npm audit in userguide/mcp/ — 0 vulnerabilities

…s server

Rust / cargo-audit:
- Add .cargo/audit.toml to document and suppress RUSTSEC-2024-0436
  (paste 1.0.15 unmaintained). The advisory is a WARNING, not a
  vulnerability — paste has no CVE score. It enters the dependency
  graph only through the optional rvm-gpu webgpu feature:
    rvm-gpu (cuda-rust-wasm, off by default) -> wgpu -> wgpu-hal
    -> metal (macOS only) -> paste
  No fix is available without an upstream cuda-rust-wasm/wgpu release.
  The ignore entry is annotated with full justification.
- cargo audit, cargo clippy -D warnings, cargo fmt --check, and
  cargo test --workspace all pass clean (882 tests, 0 failures).

Node / npm (userguide/mcp):
- npm audit fix: resolved 6 CVEs in transitive deps of @modelcontextprotocol/sdk:
  * fast-uri <= 3.1.1: HIGH — path traversal via percent-encoded dot
    segments (GHSA-q3j6-qgpj-74h6) + host confusion via percent-encoded
    authority delimiters (GHSA-v39h-62p7-jpjc) → bumped to 3.1.2
  * hono <= 4.12.17: MODERATE — cookie name injection, path traversal in
    toSSG(), middleware bypass, JWT NumericDate validation, cache leakage,
    bodyLimit bypass, JSX HTML injection (multiple GHSAs) → bumped to 4.12.22
  * @hono/node-server < 1.19.13: MODERATE — middleware bypass via repeated
    slashes in serveStatic (GHSA-92pp-h63x-v22m) → bumped to 1.19.14
  * ip-address <= 10.1.0: MODERATE — XSS in Address6 HTML-emitting methods
    (GHSA-v2v4-37r5-5v8g) → bumped to 10.2.0
  * express-rate-limit 8.0.1-8.5.0: MODERATE — depends on vulnerable
    ip-address → bumped to 8.5.2
  * qs 6.11.1-6.15.1: MODERATE — DoS via null entries in comma-format
    arrays (GHSA-q8mj-m7cp-5q26) → bumped to 6.15.2
  npm audit now reports 0 vulnerabilities.
@ruvnet ruvnet merged commit af97d18 into main May 23, 2026
2 checks passed
@ruvnet ruvnet deleted the fix/security-audit-2026-05-23 branch May 23, 2026 09:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant