Fix RUSTSEC-2026-0002: Patch lru soundness vulnerability in iced_glyphon

[Copilot]

Pull Request

Description

Fixes soundness vulnerability RUSTSEC-2026-0002 in lru 0.12.5 where IterMut violates Stacked Borrows by invalidating internal pointers. The vulnerable version was pulled in transitively through iced_glyphon 0.6.0.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Performance improvement
• Code refactoring

Changes Made

• Vendored iced_glyphon 0.6.0 source in vendor/iced_glyphon/
• Updated vendored copy's lru dependency from 0.12.1 to 0.16.3
• Added [patch.crates-io] in workspace Cargo.toml to use vendored version
• Added documentation in vendor/README.md and SECURITY-FIX-RUSTSEC-2026-0002.md

Dependency chain before fix:

rustirc → iced 0.13.1 → iced_glyphon 0.6.0 → lru 0.12.5 ❌

After fix:

rustirc → iced 0.13.1 → iced_glyphon 0.6.0 (vendored) → lru 0.16.3 ✅

Rationale for vendoring:
No updated iced_glyphon version exists with fixed lru dependency. Upstream iced 0.14+ has breaking changes the project explicitly avoids. Vendor patch is cleanest minimal fix until upstream updates or iced 0.14 migration.

Testing

• My code follows the project's style guidelines
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

Test Details

• Dependency tree verification: Confirmed lru 0.12.5 completely removed, only 0.16.3 present
• Clean build: Fresh cargo clean && cargo build succeeds
• Clippy: No warnings with --all-targets -- -D warnings
• Existing tests: All pass with no changes required

Screenshots (if applicable)

N/A - Security fix with no UI changes

Performance Impact

• This change has no performance impact
• This change improves performance
• This change may reduce performance (explain why it's worth it)

Security Considerations

• This change has no security implications
• This change improves security
• This change requires security review (explain)

Security improvement: Eliminates memory unsoundness in lru crate that could cause undefined behavior through Stacked Borrows violation.

Breaking Changes

• This PR introduces no breaking changes
• This PR introduces breaking changes (describe migration path)

Checklist

• Cargo fmt has been run
• Cargo clippy shows no warnings
• Documentation has been updated
• CHANGELOG.md has been updated
• All CI checks pass

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• docs.rs
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
• https://api.github.com/repos/iced-rs/cryoglyph/commits/bb8f59f
  • Triggering command: /home/REDACTED/.rustup/toolchains/stable-x86_64-REDACTED-linux-gnu/bin/cargo /home/REDACTED/.rustup/toolchains/stable-x86_64-REDACTED-linux-gnu/bin/cargo update -C embed-bitcode=no -C debuginfo=2 --check-cfg cfg(docsrs,test) --check-cfg cfg(feature, values()) -C metadata=3b1ef3f6c82b828a f/aw�� f/aws-lc-sys-0.3-I f/aws-lc-sys-0.3/home/REDACTED/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/aws-lc-sys-0.3--norc f/aws-lc-sys-0.3-I f/aws-lc-sys-0.3gcc f/aws-lc-sys-0.3-m64 f/aws-lc-sys-0.3/tmp/rustcDbYdFX/symbols.o f/aws-lc-sys-0.3/home/REDACTED/work/RustIRC/RustIRC/target/debug/deps/rustirc-ebebb0d8e12ad024.01lnp5l4sqbkly443qhfxzctf.1km5otq.rcgu.o (http block)
• https://api.github.com/repos/jeromefroe/lru-rs/commits/0.16.3
  • Triggering command: /home/REDACTED/.rustup/toolchains/stable-x86_64-REDACTED-linux-gnu/bin/cargo /home/REDACTED/.rustup/toolchains/stable-x86_64-REDACTED-linux-gnu/bin/cargo update (http block)
  • Triggering command: /home/REDACTED/.rustup/toolchains/stable-x86_64-REDACTED-linux-gnu/bin/cargo /home/REDACTED/.rustup/toolchains/stable-x86_64-REDACTED-linux-gnu/bin/cargo tree -i [email protected] (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>RUSTSEC-2026-0002: IterMut violates Stacked Borrows by invalidating internal pointer</issue_title>
<issue_description>

IterMut violates Stacked Borrows by invalidating internal pointer

Details
Status	unsound
Package	lru
Version	0.12.5
URL	jeromefroe/lru-rs#224
Date	2026-01-07

Affected versions of this crate contain a soundness issue in the IterMut
iterator implementation. The IterMut::next and IterMut::next_back
methods temporarily create an exclusive reference to the key when
dereferencing the internal node pointer.

This invalidates the shared pointer held by the internal HashMap,
violating Stacked Borrows rules.

See advisory page for additional details.
</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes RUSTSEC-2026-0002: IterMut violates Stacked Borrows by invalidating internal pointer #57

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

---

Note

Addresses RUSTSEC-2026-0002 by replacing the vulnerable lru 0.12.5 pulled via iced_glyphon.

• Vendors iced_glyphon 0.6.0 in vendor/iced_glyphon and updates its Cargo.toml to depend on lru 0.16.3
• Adds [patch.crates-io] in workspace Cargo.toml to use the vendored iced_glyphon
• Updates Cargo.lock to drop lru 0.12.5 and resolve to lru 0.16.3
• Adds SECURITY-FIX-RUSTSEC-2026-0002.md and vendor/README.md documenting the change

^{Written by Cursor Bugbot for commit c3ca63f. This will update automatically on new commits. Configure here.}

[doublegate]

Reviewed / Approved -- DG 1/10

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

• Cargo.lock

[Copilot]

Pull request overview

This pull request addresses the critical security vulnerability RUSTSEC-2026-0002 in the lru crate by vendoring and patching the iced_glyphon dependency. The vulnerable lru 0.12.5 was being pulled transitively through iced_glyphon 0.6.0, which specified lru ^0.12.1 in its dependencies.

Changes:

• Vendored iced_glyphon 0.6.0 source code with updated lru dependency (0.12.1 → 0.16.3)
• Applied Cargo patch in workspace to use vendored version instead of crates.io version
• Added comprehensive documentation explaining the fix and rationale

Reviewed changes

Copilot reviewed 2 out of 24 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
Cargo.toml	Added [patch.crates-io] section to redirect iced_glyphon to vendored version
Cargo.lock	Removed vulnerable lru 0.12.5; now only uses patched lru 0.16.3
vendor/iced_glyphon/Cargo.toml	Updated lru dependency from 0.12.1 to 0.16.3 in vendored package
vendor/iced_glyphon/src/*.rs	Complete vendored source files from iced_glyphon 0.6.0 (unmodified except dependency)
vendor/iced_glyphon/LICENSE-*	License files preserved from original package
vendor/iced_glyphon/examples/*	Example files from original package
vendor/README.md	Documentation explaining the vendoring rationale and tracking info
SECURITY-FIX-RUSTSEC-2026-0002.md	Comprehensive security fix documentation with vulnerability details