fix(security): RUSTSEC-2024-0436 audit config + 6 npm CVEs in mcp docs server#16
Merged
Conversation
…s server
Rust / cargo-audit:
- Add .cargo/audit.toml to document and suppress RUSTSEC-2024-0436
(paste 1.0.15 unmaintained). The advisory is a WARNING, not a
vulnerability — paste has no CVE score. It enters the dependency
graph only through the optional rvm-gpu webgpu feature:
rvm-gpu (cuda-rust-wasm, off by default) -> wgpu -> wgpu-hal
-> metal (macOS only) -> paste
No fix is available without an upstream cuda-rust-wasm/wgpu release.
The ignore entry is annotated with full justification.
- cargo audit, cargo clippy -D warnings, cargo fmt --check, and
cargo test --workspace all pass clean (882 tests, 0 failures).
Node / npm (userguide/mcp):
- npm audit fix: resolved 6 CVEs in transitive deps of @modelcontextprotocol/sdk:
* fast-uri <= 3.1.1: HIGH — path traversal via percent-encoded dot
segments (GHSA-q3j6-qgpj-74h6) + host confusion via percent-encoded
authority delimiters (GHSA-v39h-62p7-jpjc) → bumped to 3.1.2
* hono <= 4.12.17: MODERATE — cookie name injection, path traversal in
toSSG(), middleware bypass, JWT NumericDate validation, cache leakage,
bodyLimit bypass, JSX HTML injection (multiple GHSAs) → bumped to 4.12.22
* @hono/node-server < 1.19.13: MODERATE — middleware bypass via repeated
slashes in serveStatic (GHSA-92pp-h63x-v22m) → bumped to 1.19.14
* ip-address <= 10.1.0: MODERATE — XSS in Address6 HTML-emitting methods
(GHSA-v2v4-37r5-5v8g) → bumped to 10.2.0
* express-rate-limit 8.0.1-8.5.0: MODERATE — depends on vulnerable
ip-address → bumped to 8.5.2
* qs 6.11.1-6.15.1: MODERATE — DoS via null entries in comma-format
arrays (GHSA-q8mj-m7cp-5q26) → bumped to 6.15.2
npm audit now reports 0 vulnerabilities.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security & Quality Fixes
Rust — cargo-audit
RUSTSEC-2024-0436 (
paste1.0.15 — unmaintained, warning-level)Added
.cargo/audit.tomlto document and suppress this advisory with full justification. Thepastecrate has no CVE score (unmaintained warning only). It enters the dependency graph only through the optionalrvm-gpuwebgpu/metal feature:No fix is available without an upstream
cuda-rust-wasmorwgpurelease removing themetal → pastedependency. The ignore entry in.cargo/audit.tomlincludes a full prose justification so future maintainers understand the rationale.Rust gate results:
cargo audit— clean (exit 0, 0 vulnerabilities, warning suppressed with justification)cargo clippy --workspace --all-targets --no-deps -- -D warnings— cleancargo fmt --all --check— cleancargo test --workspace— 882 tests, 0 failuresNode / npm —
userguide/mcp/docs MCP servernpm audit fixresolved 6 CVEs in transitive dependencies of@modelcontextprotocol/sdk:fast-uri<= 3.1.1hono<= 4.12.17@hono/node-server< 1.19.13ip-address<= 10.1.0express-rate-limit8.0.1-8.5.0qs6.11.1-6.15.1npm auditnow reports 0 vulnerabilities.Test plan
cargo audit— clean (0 vulnerabilities, exit 0)cargo clippy --workspace --all-targets --no-deps -- -D warnings— cleancargo fmt --all --check— clean (exit 0)cargo test --workspace— 882 tests, 0 failuresnpm auditinuserguide/mcp/— 0 vulnerabilities