Skip to content

fix(deps): patch security-audit advisories (crossbeam-epoch, rand)#26

Merged
ycscaly merged 1 commit into
mainfrom
fix/security-audit-crossbeam-rand
Jul 9, 2026
Merged

fix(deps): patch security-audit advisories (crossbeam-epoch, rand)#26
ycscaly merged 1 commit into
mainfrom
fix/security-audit-crossbeam-rand

Conversation

@ycscaly

@ycscaly ycscaly commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Problem

The Security audit CI job (cargo audit) is red on main. It reports 4 entries; only one is a vulnerability (which is what fails the job — denyWarnings: false means warnings don't fail):

Advisory Crate Kind
RUSTSEC-2026-0204 crossbeam-epoch 0.9.18 vulnerability — invalid pointer dereference in fmt::Pointer impl (fix ≥ 0.9.20)
RUSTSEC-2026-0097 rand 0.9.2 unsound (custom logger using rand::rng())
RUSTSEC-2026-0012 keccak 0.1.5 unsound (opt-in ARMv8 asm backend)
keccak 0.1.5 yanked

Fix

Semver-compatible Cargo.lock-only bumps (no Cargo.toml change):

  • crossbeam-epoch 0.9.18 → 0.9.20 (transitive via rayon) — clears the vulnerability
  • rand 0.9.2 → 0.9.4 — clears the unsound warning

keccak 0.1.5 is pinned by merlin 3.0.0 (via the bulletproofs fork) and cannot move without changing that fork; it is warnings-only (unsound backend is opt-in and unused, plus yanked), so it does not fail CI.

After the bump, cargo audit exits 0.

Mirrors dwallet-labs/cryptography-private#603 (identical lockfile bump).

🤖 Generated with Claude Code

Bump transitive deps to clear the failing `cargo audit` CI:

- crossbeam-epoch 0.9.18 -> 0.9.20 (RUSTSEC-2026-0204: invalid
  pointer dereference in `fmt::Pointer` impl; the only advisory
  reported as a vulnerability, i.e. the one failing the job)
- rand 0.9.2 -> 0.9.4 (RUSTSEC-2026-0097: unsoundness with a
  custom logger using `rand::rng()`)

Both are semver-compatible patch bumps (no Cargo.toml change).
The remaining `keccak` 0.1.5 unsound/yanked warnings are pinned
by `merlin` 3.0.0 and are warnings only (`denyWarnings: false`),
so they do not fail CI.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019YYGKfEk7FvazwgaQtvq37
@ycscaly ycscaly merged commit c407ad4 into main Jul 9, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant