fix(deps): bump anyhow to 1.0.103 (RUSTSEC-2026-0190)

[benljbrooks]

Pull Request

Description

Resolves the newly published RUSTSEC-2026-0190 advisory ("Unsoundness in anyhow::Error::downcast_mut()") that began failing the cargo audit CI job across the repository's Rust crates.

anyhow versions < 1.0.103 contain a Stacked Borrows violation (undefined behavior): when context is added via Error::context and Error::downcast_mut is later called, the returned &mut T is derived from a borrow chain that includes a shared (read-only) reference, so writing through it is UB. This is fixed upstream in anyhow 1.0.103.

This PR bumps anyhow from 1.0.102 to the patched 1.0.103 across all 16 standalone crate lockfiles. No source or manifest changes are required — every crate already declares anyhow = "1.0" (caret), which permits 1.0.103; only the pinned lockfile versions changed.

Related Issue

Relates to RUSTSEC-2026-0190 (https://rustsec.org/advisories/RUSTSEC-2026-0190)

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Blueprint modification or addition
• Component modification or addition
• Documentation update
• CI/CD pipeline change
• Other (please describe): Dependency security remediation (lockfile-only)

Implementation Details

• Ran cargo update -p anyhow --precise 1.0.103 in each affected crate directory.
• Only Cargo.lock files were modified — the anyhow = "1.0" caret constraint in the four direct dependents already allows 1.0.103, so no Cargo.toml edits were needed.
• The six WASM operator crates use the private aio-sdks registry; the registry index was supplied via the CARGO_REGISTRIES_AIO_SDKS_INDEX environment variable so cargo could resolve those manifests. Only crates.io metadata for anyhow was fetched — no private packages were changed.
• Crates updated (16 lockfiles):
  • src/900-tools-utilities/901-video-tools/cli/video-to-gif
  • src/500-application/503-media-capture-service/services/media-capture-service
  • src/500-application/511-rust-embedded-wasm-provider/operators/custom-provider
  • src/500-application/511-rust-embedded-wasm-provider/operators/map
  • src/500-application/501-rust-telemetry/services/sender
  • src/500-application/501-rust-telemetry/services/receiver
  • src/500-application/504-mqtt-otel-trace-exporter/services/mqtt-otel-trace-exporter
  • src/500-application/502-rust-http-connector/services/broker
  • src/500-application/502-rust-http-connector/services/subscriber
  • src/500-application/515-wasm-expressions/operators/datetime
  • src/500-application/514-wasm-msg-to-dss/operators/msg-to-dss-key
  • src/500-application/514-wasm-msg-to-dss/operators/dss-enricher-key
  • src/500-application/507-ai-inference/services/ai-edge-inference
  • src/500-application/507-ai-inference/services/ai-edge-inference-crate
  • src/500-application/507-ai-inference/services/ai-edge-inference-crate/tests/no-features-test
  • src/500-application/512-avro-to-json/operators/avro-to-json

Testing Performed

• Terraform plan/apply
• Blueprint deployment test
• Unit tests
• Integration tests
• Bug fix includes regression test (see Test Policy)
• Manual validation
• Other: Ran cargo audit against an updated crate — RUSTSEC-2026-0190 no longer reported; confirmed every lockfile now resolves anyhow 1.0.103.

Validation Steps

1. Confirm each affected Cargo.lock pins anyhow at 1.0.103:
   for f in $(find src -name Cargo.lock -not -path '*/target/*'); do awk '/name = "anyhow"/{getline; print FILENAME": "$3}' "$f"; done
2. Run the CI cargo audit job (.github/workflows/dep-audit.yml) and confirm it passes with no RUSTSEC-2026-0190 advisory.

Checklist

• I have updated the documentation accordingly
• I have added tests to cover my changes
• All new and existing tests passed
• I have run terraform fmt on all Terraform code
• I have run terraform validate on all Terraform code
• I have run az bicep format on all Bicep code
• I have run az bicep build to validate all Bicep code
• I have checked for any sensitive data/tokens that should not be committed
• Lint checks pass (run applicable linters for changed file types)

N/A: No Terraform or Bicep was changed — this PR only updates Rust Cargo.lock files.

Security Review

• No credentials, secrets, or tokens are hardcoded or logged
• RBAC and identity changes follow least-privilege principles (N/A — no identity changes)
• No new network exposure or public endpoints introduced without justification
• Dependency additions or updates have been reviewed for known vulnerabilities (this PR remediates RUSTSEC-2026-0190)
• Container image changes use pinned digests or SHA references (N/A — no container image changes)

Additional Notes

Lockfile-only, semver-compatible patch bump; no behavioral or API changes. The branch contains a single commit isolating the anyhow update.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 31.80%. Comparing base (6e69b8b) to head (2a064bf).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #638   +/-   ##
=======================================
  Coverage   31.80%   31.80%           
=======================================
  Files          40       40           
  Lines        6015     6015           
=======================================
  Hits         1913     1913           
  Misses       4102     4102           

Flag	Coverage Δ
rust	31.80% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.