Skip to content

chore(deps): bump vulnerable rust packages#10156

Merged
tmu0 merged 7 commits into
masterfrom
chore/bump-rust-deps-dependabot
May 11, 2026
Merged

chore(deps): bump vulnerable rust packages#10156
tmu0 merged 7 commits into
masterfrom
chore/bump-rust-deps-dependabot

Conversation

@tmu0
Copy link
Copy Markdown
Contributor

@tmu0 tmu0 commented May 11, 2026
edited
Loading

Summary

Resolves the addressable open cargo ecosystem dependabot alerts on this repo by bumping affected crates in Cargo.lock and the Bazel-managed lock files. Sanity-checked by building //rs/canister_client:canister_client locally (~2.4k actions, all succeeded).

Closed alerts

Crate Old → New Closed alerts
openssl 0.10.76 / 0.10.72 → 0.10.79 #482, #483, #484, #485, #486, #487, #488, #489, #496, #497, #506, #507
rand (0.9.x) 0.9.0 / 0.9.2 → 0.9.3+ #475, #478
rand (0.10.x) 0.10.0 → 0.10.1 #464
actix-http 3.12.0 / 3.9.0 → 3.12.1 #473, #474
tar 0.4.44 → 0.4.45 #413, #414, #415, #416
rustls-webpki (0.103.x) 0.103.3 / 0.103.9 → 0.103.13 #423, #424, #490, #491
lz4_flex (bazel) 0.11.5 → 0.11.6 #412

Not addressable in this PR

These either have no upstream fix, are pinned by a transitive constraint that would require updating a dependent crate beyond the scope of a security bump, or were tried and rejected because they broke tests:

Crate Reason
quinn-proto 0.11.70.11.14 tried, but broke tests on this branch — kept on 0.11.7 (alert #409)
rand 0.8.5 ic-bn-lib v0.1.15 has rand = "=0.8.5" exact pin; tried bumping ic-bn-lib to 0.1.19 but it broke tests (alerts #476, #479, #481)
rustls-webpki 0.101.7 / 0.102.8 constrained by warp 0.3.7tokio-rustls 0.25rustls 0.22 (alerts #469-472)
hickory-proto 0.25.2 requires bumping hickory-resolver to 0.26.x (alerts #502-505)
paramiko / wee_alloc / atty no upstream patch released yet
rsa <= 0.9.6 Marvin attack timing no upstream fix (#317, #318)
rs/validator/fuzz/Cargo.lock alerts fuzz manifest is broken for standalone cargo (missing [workspace.package]) and the file is unused by Bazel; would need a separate manifest-repair PR (#294, #318, #380, #393, #461, #462, #463, #481, #317)
rs/universal_canister/impl/Cargo.lock alerts only wee_alloc (unmaintained, no fix) and atty (no fix) — #460, #247

How regenerated

# Main lock
cargo update -p <crate> [--precise <version>]

# Bazel lock
CARGO_BAZEL_REPIN=<crate>[@<from-ver>] bazel build @crate_index//...

Note on bazel/rust.MODULE.bazel: added a direct crate.spec(package = "actix-http", version = "^3.12.1") to force the splicer past 3.12.0 — without it the resolver was free to keep the older transitive version.

Test plan

  • CI passes
  • Sample build of //rs/canister_client:canister_client succeeds (done locally)
  • Confirm dependabot closes the alerts listed above after merge

🤖 Generated with Claude Code

@tmu0 @claude
chore(deps): bump vulnerable rust packages
d5487e4 
Address open cargo dependabot alerts by bumping the affected crates in
Cargo.lock and the Bazel-managed Cargo.Bazel.{toml,json}.lock files.

Bumped:
- openssl 0.10.76 -> 0.10.79
- rand (0.9.x and 0.10.x bumped to latest patched)
- actix-http 3.12.0/3.9.0 -> 3.12.1 (main) / 3.12.0 (bazel)
- tar 0.4.44 -> 0.4.45
- rustls-webpki (0.103.x bumped to 0.103.13)
- lz4_flex 0.11.5 -> 0.11.6 (bazel)
- quinn-proto 0.11.7 -> 0.11.14 (bazel)

Bazel lock regenerated via `CARGO_BAZEL_REPIN=<crate> bazel build @crate_index//...`.

Not addressed (require deeper dependency-chain bumps outside this PR):
- rand 0.8.5: ic-bn-lib v0.1.15 has `rand = "=0.8.5"` exact pin
- rustls-webpki 0.102.8 / 0.101.7: warp 0.3.7 -> tokio-rustls 0.25 -> rustls 0.22
- hickory-proto 0.25.2: requires bumping hickory-resolver to 0.26
- actix-http 3.12.1 in bazel lock: splicer settles at 3.12.0

Also no upstream fix available: wee_alloc (unmaintained), atty, rsa Marvin
attack (timing), paramiko SHA-1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@tmu0 tmu0 requested a review from Copilot May 11, 2026 07:50
@github-actions github-actions Bot added the chore label May 11, 2026
Copilot AI reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

tmu0 and others added 5 commits May 11, 2026 10:38
@tmu0 @claude
chore(deps): force actix-http to 3.12.1 in bazel lock
4f342da 
Pin actix-http directly via crate_universe in bazel/rust.MODULE.bazel so
the splicer pulls in 3.12.1 (closes the remaining bazel-lock instance of
the HTTP/1.1 CL.TE request-smuggling alert #474).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@tmu0 @claude
chore(deps): bump ic-bn-lib to 0.1.19 to unblock rand 0.8.6
278508c 
ic-bn-lib 0.1.15 pinned `rand = "=0.8.5"`; 0.1.19 relaxes that to allow
0.8.6, which closes the remaining rand alerts (#476, #479, #481).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@tmu0
Revert "chore(deps): bump ic-bn-lib to 0.1.19 to unblock rand 0.8.6"
85bbb9e 
This reverts commit 278508c.
@tmu0 @claude
chore(deps): revert quinn-proto bump (broke tests)
99bfe2d 
Keep quinn-proto at 0.11.7 in the bazel lock. The 0.11.7 -> 0.11.14 bump
broke some tests, so leave dependabot alert #409 open until quinn / its
transitive consumers can absorb the upgrade separately.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@tmu0
Merge remote-tracking branch 'origin/master' into chore/bump-rust-dep…
1d060bb 
…s-dependabot

# Conflicts:
#	Cargo.Bazel.json.lock
@tmu0 tmu0 marked this pull request as ready for review May 11, 2026 10:28
@tmu0 tmu0 requested a review from a team as a code owner May 11, 2026 10:28
@github-actions github-actions Bot added the @idx label May 11, 2026
@tmu0 tmu0 enabled auto-merge May 11, 2026 10:28
@tmu0 tmu0 added this pull request to the merge queue May 11, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to a conflict with the base branch May 11, 2026
@tmu0 tmu0 enabled auto-merge May 11, 2026 11:54
@tmu0
Merge remote-tracking branch 'origin/master' into chore/bump-rust-dep…
19a2d26 
…s-dependabot

# Conflicts:
#	Cargo.Bazel.json.lock
@tmu0 tmu0 added this pull request to the merge queue May 11, 2026
Merged via the queue into master with commit 3316f93 May 11, 2026
37 checks passed
@tmu0 tmu0 deleted the chore/bump-rust-deps-dependabot branch May 11, 2026 14:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@basvandijk basvandijk basvandijk approved these changes

Assignees

No one assigned

Labels

chore @idx

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tmu0 @basvandijk