chore(security): bump rustls-webpki + rand patch versions; ignore upstream-blocked hickory advisories#34
Merged
Conversation
…tream-blocked hickory advisories
Closes 3 RustSec vulnerabilities flagged by `cargo audit` and the CI
Security Audit step, plus the rand unsoundness warning. Adds
`.cargo/audit.toml` to document the 2 remaining hickory-proto advisories
(both blocked on an iroh major bump, tracked as CHORE-iroh-bump).
## Bumps
- `rustls-webpki` 0.103.10 → 0.103.13 (transitive via iroh-relay /
reqwest / quinn / hickory-resolver). Closes:
- RUSTSEC-2026-0098 (URI name constraints incorrectly accepted)
- RUSTSEC-2026-0099 (wildcard cert name constraints accepted)
- RUSTSEC-2026-0104 (CRL parsing panic)
Patch bump within rustls's existing 0.103.x major; no API surface change.
- `rand` 0.9.2 → 0.9.4 (direct dep in `forgetty-sync` and root
`Cargo.toml`, also transitive via iroh chain). Closes the RUSTSEC-2026-0097
"rand unsound with custom logger using rand::rng()" warning. Patch bump
within rand's existing 0.9.x major; the rand 0.10.x breaking-API
migration is tracked separately as CHORE-rand-0.10-upgrade.
`cargo audit` before this commit: 5 vulnerabilities, 5 warnings.
After: 0 unignored vulnerabilities, 4 warnings (all unmaintained
transitives that don't fail CI).
## .cargo/audit.toml
Two hickory-proto advisories remain after the bumps. Both are transitive
via `iroh 0.97.x → iroh-relay → hickory-resolver → hickory-proto 0.25.x`:
- RUSTSEC-2026-0119 — CPU exhaustion via O(n²) DNS name compression.
Fix available in hickory-proto >= 0.26.1; blocked on bumping iroh past
0.97.x (which pins hickory 0.25.x). Tracked as CHORE-iroh-bump.
- RUSTSEC-2026-0118 — NSEC3 closest-encloser proof unbounded loop. NO
upstream fix available as of 2026-05-05
(GHSA-3v94-mw7p-v465).
Re-evaluate when hickory-dns ships a fix.
Both are ignored with rationale comments in `.cargo/audit.toml`. The
threat model for solo-dogfood use (LAN-only iroh pairing) makes neither
exploitable in practice; they become higher-priority once forgetty has
external users pairing devices over untrusted networks.
## Tests
- cargo check --workspace: PASS
- cargo build --release: PASS (implicit via cargo check)
- cargo test --workspace --exclude forgetty-gtk: PASS (203 tests; same
as pre-bump baseline)
- cargo audit: exits 0 (was: exit 1 with 5 vulnerabilities)
## Files
- Cargo.lock +15 -15 (rustls-webpki + rand bumps)
- .cargo/audit.toml +30 -0 (new file; ignore list with
rationale for the 2 remaining
hickory advisories)
## Supersedes
- PR #32 (rustls-webpki 0.103.10 → 0.103.13) — same bump, closed in favour
of this consolidated commit
- PR #33 (rand 0.9.2 → 0.9.3) — same bump but to 0.9.4 (one patch newer);
closed in favour of this consolidated commit
This was referenced May 5, 2026
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes 3 RustSec vulnerabilities flagged by the CI Security Audit step + the rand unsoundness warning. Adds
.cargo/audit.tomlto document the 2 remaining hickory-proto advisories (both blocked on an iroh major bump). After this PR,cargo auditexits 0 and CI's Security Audit step turns green.Supersedes PR #32 and PR #33.
What changed
Patch bumps (Cargo.lock only — no Cargo.toml semver constraints touched)
rustls-webpkiRUSTSEC-2026-0099 (wildcard cert name constraints accepted)
RUSTSEC-2026-0104 (CRL parsing panic)
randrand::rng())rustls-webpkiis purely transitive (iroh-relay / reqwest / quinn / hickory-resolver).randis a direct dep inforgetty-syncand rootCargo.tomlalready pinned at\"0.9\"so the patch bump fits within the existing semver constraint.PR #33 attempted the rand bump to 0.9.3; this consolidates to 0.9.4 (one patch newer) which is the latest within the 0.9.x series. The breaking 0.10.x migration is deferred to a separate task.
.cargo/audit.toml(new file)Two hickory-proto advisories remain after the bumps. Both are transitive via
iroh 0.97.x → iroh-relay → hickory-resolver → hickory-proto 0.25.x— bumping them requires a major iroh bump (deferred). The new file ignores both with rationale comments + clear re-evaluation triggers:Threat model: both vulns require an attacker who can return crafted DNS responses for iroh relay name resolution. Low realistic exposure for solo-dogfood LAN pairing; higher once external users pair devices over untrusted networks. Acceptable risk for v0.1.0-beta with 1 user.
How the fix works
rustsec/audit-check@v2(the GitHub Action wrapping cargo audit) reads.cargo/audit.tomlby default. The[advisories].ignorelist suppresses the 2 documented hickory advisories from the failure exit code while still reporting them in the action's log output. The 4 remaining unmaintained-transitive warnings (atomic-polyfill,instant,paste,unicode-segmentationyanked) are warnings, not errors — they don't fail CI.Tests
cargo check --workspacecargo build --releasecargo test --workspace --exclude forgetty-gtkcargo audit(pre-PR)cargo audit(post-PR)Audit numbers
Follow-ups (filed in
docs/harness/BACKLOG.md, not committed).cargo/audit.tomlignores as upstream fixes ship.Files
Test plan
cargo check --workspacecargo clippy --workspace -- -D warningscargo test --workspace --exclude forgetty-gtkcargo build --releasecargo audit(exits 0)🤖 Generated with Claude Code