Skip to content

fix(deps): remove stale pyo3 advisory ignores#2130

Merged
chaliy merged 1 commit into
mainfrom
2026-06-27-propose-fix-for-pyo3-advisory-ignores
Jun 28, 2026
Merged

fix(deps): remove stale pyo3 advisory ignores#2130
chaliy merged 1 commit into
mainfrom
2026-06-27-propose-fix-for-pyo3-advisory-ignores

Conversation

@chaliy

@chaliy chaliy commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Motivation

  • Remove stale cargo-deny ignores for PyO3 advisories RUSTSEC-2026-0176 and RUSTSEC-2026-0177 now that the workspace upgrades pyo3 and pyo3-async-runtimes to 0.29 so future reintroductions are not silently suppressed.

Description

  • Deleted the two PyO3 advisory IDs from deny.toml's [advisories].ignore array to restore normal advisory reporting.

Testing

  • Ran a small assertion script (python3 - <<'PY' ...) that confirmed both advisory IDs are absent from deny.toml (passed).
  • Attempted cargo deny check advisories but it could not be executed in this environment because cargo-deny is not installed (not executed).

Codex Task

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 27, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
bashkit b219eca Commit Preview URL Jun 28 2026, 09:32 AM

@chaliy chaliy force-pushed the 2026-06-27-propose-fix-for-pyo3-advisory-ignores branch from 80c1a85 to b219eca Compare June 28, 2026 09:32
@chaliy chaliy merged commit 1e37a1d into main Jun 28, 2026
16 checks passed
@chaliy chaliy deleted the 2026-06-27-propose-fix-for-pyo3-advisory-ignores branch June 28, 2026 09:43
chaliy added a commit that referenced this pull request Jul 1, 2026
…s/yaml (#2131)

Security dependency hygiene. Rebased on latest `main`; scope narrowed
after #2130 landed.

> **Note:** #2130 already removed the stale pyo3 ignores from
`deny.toml`. That overlap dropped out cleanly on rebase — but #2130
**missed `.cargo/audit.toml`**, which carried the same now-stale
entries. This PR finishes that cleanup and adds an unrelated npm fix.

## 1. Drop stale pyo3 advisory ignores from `.cargo/audit.toml` (cargo)

`pyo3`/`pyo3-async-runtimes` are at **0.29.0** in `Cargo.lock`, so these
are "patched in >= 0.29" and no longer match any crate — dead
suppressions:

- `RUSTSEC-2026-0176` — OOB read in `PyList`/`PyTuple` `nth`/`nth_back`
- `RUSTSEC-2026-0177` — missing `Sync` bound on
`PyCFunction::new_closure`

`.cargo/audit.toml` is the file CI's `cargo-audit`
(`rustsec/audit-check`) actually reads, so leaving these here keeps a
live suppression that would re-mask the advisory if pyo3 were
downgraded. The matching `deny.toml` entries were already removed by
#2130.

Remaining ignore kept (still present, no fixed release):
`RUSTSEC-2023-0071` (`rsa` Marvin, via `russh`).

## 2. Bump site ws/yaml to patched versions (npm)

Two GitHub Dependabot alerts on the `site/` Astro project, both deep
transitive **dev** deps (build/deploy tooling, not shipped in the
bundle):

- `ws` (GHSA-96hv-2xvq-fx4p, **high**): memory-exhaustion DoS; affects
`>=8.0.0 <8.21.0`; via `wrangler > miniflare > ws`. Pinned `>=8.21.0`.
- `yaml` (GHSA-48c2-rrv3-qjmp, **moderate**): stack overflow via deeply
nested collections; affects `>=2.0.0 <2.8.3`; via `@astrojs/check > … >
yaml`. Pinned `>=2.8.3` (resolves 2.9.0).

Added as pnpm `overrides` alongside the existing esbuild/undici security
pins. `pnpm audit` now reports **no known vulnerabilities** for `site/`.

## Verification

- `pyo3 = 0.29.0` / `pyo3-async-runtimes = 0.29.0` in `Cargo.lock`.
- `pnpm audit` clean for `site/`; Site Build + Cloudflare deploy green
on the PR.
- RustSec DB is egress-blocked in the dev sandbox; CI's `cargo-audit`
validates the cargo side on networked runners.

https://claude.ai/code/session_01CCnF1i7QRggAj9as2RWs8g
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant