Skip to content

Security: track the 9 open Dependabot advisories (umbrella for #534/#535/#536) #575

Description

@suchapalaver

Summary

GitHub reports 9 open Dependabot "Security and quality" advisories. This is an umbrella tracking issue: each advisory already has a dedicated remediation issue, but there was no single place to see the full set and its blocked/unblocked status. The list below is the source of truth; close this when all 9 alerts clear.

All 9 reach us transitively — none are direct dependencies of our crates. Seven root in a single dep (fnox 0.1), two in microsandbox, one in quickjs_runtime.

The 9 alerts

# Severity Package (stuck version) Root dep Patched in Tracked by
#4 medium jsonwebtoken 9.3.1 (Type Confusion → authz bypass) fnox → google-cloud-auth → google-cloud-kms 10.3.0 #534
#16 low rustls-webpki 0.101.7 (URI name constraints) fnox → aws-config → aws-smithy-http-client (rustls 0.21.x) 0.103.12 #534
#17 low rustls-webpki 0.101.7 (wildcard name constraints) fnox → aws-config (rustls 0.21.x) 0.103.12 #534
#19 low rand 0.7.3 (custom-logger unsoundness) fnox → azure_identity → azure_core → http-types 0.8.6 #534
#25 high rustls-webpki 0.101.7 (panic on malformed CRL BIT STRING) fnox → aws-config (rustls 0.21.x) 0.103.13 #534
#6 low atty 0.2.14 (unaligned read; unmaintained) fnox (direct) no fix #534
#29 high hickory-proto 0.25.2 (NSEC3 unbounded loop) microsandbox 0.3.13 → microsandbox-network no fix on 0.25.x #535
#30 medium hickory-proto 0.25.2 (O(n²) name-compression CPU exhaustion) microsandbox 0.3.13 → microsandbox-network 0.26.1 #535
#1 low lru 0.14.0 (Stacked Borrows / IterMut) quickjs_runtime 0.15.7 0.16.3 #536

Remediation status

Verification

This issue closes when gh api repos/semiotic-agentium/agentium-os/dependabot/alerts --jq '[.[]|select(.state=="open")]|length' returns 0, and the lockfile no longer contains jsonwebtoken 9.3.1, rustls-webpki 0.101.7, rand 0.7.3, atty 0.2.14, hickory-proto 0.25.2, or lru 0.14.0.

Follow-up from #531 (the 16 advisories cargo update alone closed).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions