Skip to content

fix(deps): update vulnerable dependencies for cargo audit#346

Closed
pistomat wants to merge 3 commits into
mainfrom
mp/add-cargo-audit-ci
Closed

fix(deps): update vulnerable dependencies for cargo audit#346
pistomat wants to merge 3 commits into
mainfrom
mp/add-cargo-audit-ci

Conversation

@pistomat

@pistomat pistomat commented Mar 10, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add minimum version constraint for quinn-proto >= 0.11.14 in Cargo.toml to protect downstream consumers (RUSTSEC-2026-0037)
  • Update Cargo.lock: quinn-proto 0.11.12 → 0.11.14, alloy-dyn-abi and ruint to latest compatible versions

The security audit CI workflow already exists on main. This PR ensures it passes with current advisory database and adds the Cargo.toml constraint so downstream consumers inherit the fix.

Test plan

  • cargo audit passes locally with 0 vulnerabilities
  • Security audit CI passes on this PR

Related: ENG-5667

🤖 Generated with Claude Code

Update quinn-proto 0.11.12 → 0.11.14 to fix RUSTSEC-2026-0037
(Denial of service in Quinn endpoints).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
pistomat and others added 2 commits March 10, 2026 14:52
Add quinn-proto = "0.11.14" as direct dependency to enforce minimum
version for downstream consumers, fixing RUSTSEC-2026-0037.

Library Cargo.lock updates alone don't protect downstream users since
they build their own lockfile resolution.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
quinn-proto is only transitively needed via reqwest, which is already
optional and gated behind the evm feature. Making it unconditional would
pull it into the dependency tree for consumers not using evm.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@dianacarvalho1

Copy link
Copy Markdown
Collaborator

@github-project-automation github-project-automation Bot moved this from Todo to Done in Tycho Mar 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

2 participants