fix(deps): remove stale pyo3 advisory ignores#2130
Merged
Conversation
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
bashkit | b219eca | Commit Preview URL | Jun 28 2026, 09:32 AM |
80c1a85 to
b219eca
Compare
This was referenced Jun 29, 2026
chaliy
added a commit
that referenced
this pull request
Jul 1, 2026
…s/yaml (#2131) Security dependency hygiene. Rebased on latest `main`; scope narrowed after #2130 landed. > **Note:** #2130 already removed the stale pyo3 ignores from `deny.toml`. That overlap dropped out cleanly on rebase — but #2130 **missed `.cargo/audit.toml`**, which carried the same now-stale entries. This PR finishes that cleanup and adds an unrelated npm fix. ## 1. Drop stale pyo3 advisory ignores from `.cargo/audit.toml` (cargo) `pyo3`/`pyo3-async-runtimes` are at **0.29.0** in `Cargo.lock`, so these are "patched in >= 0.29" and no longer match any crate — dead suppressions: - `RUSTSEC-2026-0176` — OOB read in `PyList`/`PyTuple` `nth`/`nth_back` - `RUSTSEC-2026-0177` — missing `Sync` bound on `PyCFunction::new_closure` `.cargo/audit.toml` is the file CI's `cargo-audit` (`rustsec/audit-check`) actually reads, so leaving these here keeps a live suppression that would re-mask the advisory if pyo3 were downgraded. The matching `deny.toml` entries were already removed by #2130. Remaining ignore kept (still present, no fixed release): `RUSTSEC-2023-0071` (`rsa` Marvin, via `russh`). ## 2. Bump site ws/yaml to patched versions (npm) Two GitHub Dependabot alerts on the `site/` Astro project, both deep transitive **dev** deps (build/deploy tooling, not shipped in the bundle): - `ws` (GHSA-96hv-2xvq-fx4p, **high**): memory-exhaustion DoS; affects `>=8.0.0 <8.21.0`; via `wrangler > miniflare > ws`. Pinned `>=8.21.0`. - `yaml` (GHSA-48c2-rrv3-qjmp, **moderate**): stack overflow via deeply nested collections; affects `>=2.0.0 <2.8.3`; via `@astrojs/check > … > yaml`. Pinned `>=2.8.3` (resolves 2.9.0). Added as pnpm `overrides` alongside the existing esbuild/undici security pins. `pnpm audit` now reports **no known vulnerabilities** for `site/`. ## Verification - `pyo3 = 0.29.0` / `pyo3-async-runtimes = 0.29.0` in `Cargo.lock`. - `pnpm audit` clean for `site/`; Site Build + Cloudflare deploy green on the PR. - RustSec DB is egress-blocked in the dev sandbox; CI's `cargo-audit` validates the cargo side on networked runners. https://claude.ai/code/session_01CCnF1i7QRggAj9as2RWs8g
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
RUSTSEC-2026-0176andRUSTSEC-2026-0177now that the workspace upgradespyo3andpyo3-async-runtimesto0.29so future reintroductions are not silently suppressed.Description
deny.toml's[advisories].ignorearray to restore normal advisory reporting.Testing
python3 - <<'PY' ...) that confirmed both advisory IDs are absent fromdeny.toml(passed).cargo deny check advisoriesbut it could not be executed in this environment becausecargo-denyis not installed (not executed).Codex Task