Commit fa79316
authored
fix(deps): clear all 36 open Dependabot vulnerabilities (#1045)
## Summary
Clears all 36 open Dependabot alerts (13 high, 14 moderate, 9 low)
across the Rust workspace and the dashboard. Done in 4 logically-grouped
commits so each is independently reviewable.
| # | Commit | Fixes |
|---|---|---|
| 1 | `chore(deps): regenerate dwctl/Cargo.lock` | ~22 stale alerts on
`dwctl/Cargo.lock`. The file had drifted far behind the workspace lock;
openssl, rustls-webpki, quinn-proto, bytes, tar, protobuf, time, rsa,
and rand were all already patched in the workspace lock — they just
hadn't propagated. |
| 2 | `fix(deps): bump jsonwebtoken 9 -> 10` | **CVE-2026-25537**
type-confusion auth bypass. Major-version bump required `ErrorKind`
match-arm updates (`Crypto(_)` split into `Signing(_)`/`Provider(_)`;
new `InvalidEddsaKey` and `InvalidClaimFormat(_)`) and an explicit
crypto-backend feature (`rust_crypto`). |
| 3 | `fix(deps): drop legacy rustls path from aws-sdk-s3, bump it to
1.131` | Two transitive vulns entered through `aws-sdk-s3`:
rustls-webpki 0.101.7 (via the default `rustls` feature → unmaintained
rustls 0.21 stack) and lru 0.12.5. Disabled `default-features` and
re-enabled the modern `default-https-client` path; bumped to 1.131 so
lru 0.16 lands. |
| 4 | `fix(deps): patch dashboard transitive vulnerabilities` | `pnpm
update` lifted vite 7.3.2 / postcss 8.5.10 / picomatch 4.0.4. lodash and
mdast-util-to-hast are pinned by parent packages (recharts,
react-markdown) at vulnerable versions even though patched releases
exist — added pnpm overrides for both. |
## Vulnerabilities addressed
**Rust:** openssl (CVE-2026-41676/77/78/81/898), rustls-webpki
(GHSA-82j2-j2ch-gfr8 + name-constraint issues), quinn-proto
(CVE-2026-31812), jsonwebtoken (CVE-2026-25537), tar
(CVE-2026-33055/56), bytes (CVE-2026-25541), protobuf (CVE-2025-53605),
time (CVE-2026-25727), rsa (CVE-2026-21895), rand (GHSA-cq8v-f236-94qc),
lru (GHSA-rhfx-m35p-ff5j).
**npm:** vite (CVE-2026-39363/64/65), lodash (CVE-2026-2950/4800,
CVE-2025-13465), picomatch (CVE-2026-33671/72), postcss
(CVE-2026-41305), mdast-util-to-hast (CVE-2025-66400). (glob and
minimatch alerts were dev-only and dropped out automatically when their
parent packages updated.)
## Test plan
- [x] `just lint rust` passes
- [x] `cargo test --workspace --lib` → **1242 passed, 0 failed**
- [x] `just lint ts` passes
- [x] `just test ts` → **498 passed, 0 failed**
- [x] `pnpm audit --prod` reports zero vulnerabilities
- [ ] CI on this PR
- [ ] Dependabot reconciles and closes the 36 alerts after merge
🤖 Generated with [Claude Code](https://claude.com/claude-code)1 parent 4bf5b54 commit fa79316
7 files changed
Lines changed: 3361 additions & 1558 deletions
File tree
- .github
- dashboard
- dwctl
- src/auth
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
9 | 9 | | |
10 | 10 | | |
11 | 11 | | |
12 | | - | |
| 12 | + | |
13 | 13 | | |
14 | 14 | | |
15 | 15 | | |
| |||
0 commit comments