Skip to content

fix(deps): resolve all RUSTSEC security advisories#561

Merged
echobt merged 1 commit intomasterfrom
fix/rustsec-deps-1770039055
Feb 2, 2026
Merged

fix(deps): resolve all RUSTSEC security advisories#561
echobt merged 1 commit intomasterfrom
fix/rustsec-deps-1770039055

Conversation

@echobt
Copy link
Contributor

@echobt echobt commented Feb 2, 2026

Summary

Resolves all RUSTSEC security advisories by updating dependencies rather than using exceptions.

Changes

Security Fixes

  • wasmtime v29 → v41: Fixes multiple vulnerabilities:
    • RUSTSEC-2025-0118: shared memory API (low severity)
    • RUSTSEC-2025-0046: fd_renumber panic (low severity)
    • RUSTSEC-2026-0006: f64.copysign segfault (medium severity)
    • RUSTSEC-2025-0057: fxhash unmaintained (transitive)
    • RUSTSEC-2024-0436: paste unmaintained (transitive)
  • scraper v0.22 → v0.25: Removes fxhash transitive dependency
  • ratatui v0.29 → v0.30: Fixes RUSTSEC-2026-0002 (lru unsound iteration)
  • crossterm v0.28 → v0.29: Required for ratatui v0.30 compatibility
  • tui-textarea: Updated to git version for ratatui v0.30 support

Code Changes

  • Updated `MockBackend` trait implementation for ratatui v0.30 API (new `clear_region` method and `Error` associated type)
  • Fixed lifetime annotations in `borders.rs` for compatibility with ratatui v0.30

Configuration

  • Removed all RUSTSEC ignore entries from `.cargo/audit.toml`

Verification

  • `cargo check --workspace` passes
  • `cargo audit` passes with zero vulnerabilities

Update dependencies to fix security vulnerabilities:

- wasmtime v29 → v41: Fixes RUSTSEC-2025-0118 (shared memory API),
  RUSTSEC-2025-0046 (fd_renumber panic), RUSTSEC-2026-0006 (f64.copysign
  segfault), RUSTSEC-2025-0057 (fxhash unmaintained), RUSTSEC-2024-0436
  (paste unmaintained)
- scraper v0.22 → v0.25: Removes fxhash transitive dependency
- ratatui v0.29 → v0.30: Fixes RUSTSEC-2026-0002 (lru unsound iteration)
- crossterm v0.28 → v0.29: Required for ratatui v0.30 compatibility
- tui-textarea: Updated to git version for ratatui v0.30 support

All RUSTSEC ignore entries removed from .cargo/audit.toml.
Code changes: Updated MockBackend trait impl and lifetime annotations
for ratatui v0.30 API changes.
@echobt echobt merged commit afb1af1 into master Feb 2, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant