Skip to content

Commit fa79316

Browse files
authored
fix(deps): clear all 36 open Dependabot vulnerabilities (#1045)
## Summary Clears all 36 open Dependabot alerts (13 high, 14 moderate, 9 low) across the Rust workspace and the dashboard. Done in 4 logically-grouped commits so each is independently reviewable. | # | Commit | Fixes | |---|---|---| | 1 | `chore(deps): regenerate dwctl/Cargo.lock` | ~22 stale alerts on `dwctl/Cargo.lock`. The file had drifted far behind the workspace lock; openssl, rustls-webpki, quinn-proto, bytes, tar, protobuf, time, rsa, and rand were all already patched in the workspace lock — they just hadn't propagated. | | 2 | `fix(deps): bump jsonwebtoken 9 -> 10` | **CVE-2026-25537** type-confusion auth bypass. Major-version bump required `ErrorKind` match-arm updates (`Crypto(_)` split into `Signing(_)`/`Provider(_)`; new `InvalidEddsaKey` and `InvalidClaimFormat(_)`) and an explicit crypto-backend feature (`rust_crypto`). | | 3 | `fix(deps): drop legacy rustls path from aws-sdk-s3, bump it to 1.131` | Two transitive vulns entered through `aws-sdk-s3`: rustls-webpki 0.101.7 (via the default `rustls` feature → unmaintained rustls 0.21 stack) and lru 0.12.5. Disabled `default-features` and re-enabled the modern `default-https-client` path; bumped to 1.131 so lru 0.16 lands. | | 4 | `fix(deps): patch dashboard transitive vulnerabilities` | `pnpm update` lifted vite 7.3.2 / postcss 8.5.10 / picomatch 4.0.4. lodash and mdast-util-to-hast are pinned by parent packages (recharts, react-markdown) at vulnerable versions even though patched releases exist — added pnpm overrides for both. | ## Vulnerabilities addressed **Rust:** openssl (CVE-2026-41676/77/78/81/898), rustls-webpki (GHSA-82j2-j2ch-gfr8 + name-constraint issues), quinn-proto (CVE-2026-31812), jsonwebtoken (CVE-2026-25537), tar (CVE-2026-33055/56), bytes (CVE-2026-25541), protobuf (CVE-2025-53605), time (CVE-2026-25727), rsa (CVE-2026-21895), rand (GHSA-cq8v-f236-94qc), lru (GHSA-rhfx-m35p-ff5j). **npm:** vite (CVE-2026-39363/64/65), lodash (CVE-2026-2950/4800, CVE-2025-13465), picomatch (CVE-2026-33671/72), postcss (CVE-2026-41305), mdast-util-to-hast (CVE-2025-66400). (glob and minimatch alerts were dev-only and dropped out automatically when their parent packages updated.) ## Test plan - [x] `just lint rust` passes - [x] `cargo test --workspace --lib` → **1242 passed, 0 failed** - [x] `just lint ts` passes - [x] `just test ts` → **498 passed, 0 failed** - [x] `pnpm audit --prod` reports zero vulnerabilities - [ ] CI on this PR - [ ] Dependabot reconciles and closes the 36 alerts after merge 🤖 Generated with [Claude Code](https://claude.com/claude-code)
1 parent 4bf5b54 commit fa79316

7 files changed

Lines changed: 3361 additions & 1558 deletions

File tree

.github/copilot-instructions.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ The Doubleword Control Layer (dwctl) is a high-performance AI model gateway prov
99

1010
### Prerequisites
1111
- **Rust 1.88+** (SQLx compatibility requirement)
12-
- **Node.js 20+** with npm
12+
- **Node.js 20.19+** (or 22.12+) — required by Vite 7; declared in `dashboard/package.json` `engines`
1313
- **PostgreSQL** (running database required for Rust compilation due to SQLx)
1414
- **just** (command runner): `cargo install just`
1515
- **Docker** with Compose plugin

0 commit comments

Comments
 (0)