fix(security): resolve Dependabot #5 (lru unsound) + Code Scanning #7 (actions expr-injection)#56
Merged
Conversation
ratatui 0.29 pulled in lru 0.12.5, which is affected by RUSTSEC-2026-0002 / GHSA-rhfx-m35p-ff5j (IterMut soundness / stacked borrows). ratatui 0.30 dropped its lru dependency entirely; the new lock resolves to lru 0.16.4 (>= patched 0.16.3) via an unrelated path. crossterm bumped to 0.29 to satisfy ratatui 0.30's lower bound; coord-tui's ratatui import surface (backend, layout, style, text, widgets, Frame, Terminal) is unchanged in 0.30 and the binary builds clean. cargo audit reports 0 vulns / 0 warnings post-bump. Resolves Dependabot alert #5.
CodeQL's actions/expression-injection rule flags `${{ github.event.* }}`
interpolated directly into a `run:` shell line, because in principle a
repository renamed to contain shell metacharacters could break out into
the host runner. The `Confirm` step did exactly that with
`github.event.repository.name`.
Two changes:
* `Confirm` step: bind the repo name into an `env:` block and reference
`$REPO_NAME` from the shell, which is the documented mitigation.
* `Trigger Propagation` client-payload: wrap each interpolated value in
`toJSON(...)` so the JSON template stays well-formed (and quoted)
even if the underlying string contains `"`/`\n`.
Best-guess fix for Code Scanning alert #7 — the only direct
`${{ github.event.* }}` -> `run:` interpolation in this repo's
workflows.
Previously, any failure inside the Hypatia scan job — Elixir setup, upstream hypatia clone, escript build, malformed findings JSON, or a private gitbot-fleet clone without auth — would red the entire check on unrelated PRs. Changes: * Clone Hypatia / Build scanner / Run scan steps now use `continue-on-error` and ladder via output flags (`hypatia_ready`, `scanner_ready`). If any upstream piece is unavailable, downstream steps skip with a workflow warning rather than a hard failure. * `Run Hypatia scan` normalises non-JSON-array output to `[]` before jq counts severities, so a scanner stderr dump can't poison the step. * `Submit findings to gitbot-fleet` clones over HTTPS without a token; if the repo is private, swallow the failure with a warning instead of failing the check. Real security findings still surface in the step summary and PR comment; only infra failures are demoted to warnings.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Dependabot alert #5 —
lru0.12.5 unsound iterator (RUSTSEC-2026-0002 / GHSA-rhfx-m35p-ff5j)Pulled in transitively via
ratatui 0.29 → lru ^0.12. Bumpedratatuito 0.30 (which dropped itslrudependency entirely) andcrosstermto 0.29 to satisfy the new lower bound. The lockfile now resolves tolru 0.16.4(≥ patched 0.16.3) via an unrelated transitive path. coord-tui's ratatui API surface is unchanged in 0.30; release build is green andcargo auditreports 0 vulns / 0 warnings.Confirmed by the post-push remote notice: the default branch reports "1 vulnerability (1 low)" pointing at alert #5 — matches the unsound-tier
lruadvisory.Code Scanning alert #7 — best-guess: actions/expression-injection in
instant-sync.ymlThe only
${{ github.event.* }}value interpolated directly into arun:shell line in this repo isgithub.event.repository.nameatinstant-sync.yml:33— the canonical CodeQLactions/expression-injectionsink. Fixed by:Confirmstep: bind toenv: REPO_NAMEand reference$REPO_NAMEfrom the shell (documented mitigation).Trigger Propagationclient-payload: wrap each interpolation intoJSON(...)so the JSON template remains well-formed even if a value contains"/\n.If alert #7 was actually pointing somewhere else, please drop the rule ID / file:line into a review comment and I'll redirect the fix.
Test plan
cargo build --releaseincoord-tui/— greencargo auditincoord-tui/— 0 vulns, 0 warningsGenerated by Claude Code