Skip to content

fix: upgrade dependencies to resolve cargo-audit vulnerabilities#4328

Merged
Hmbown merged 1 commit into
Hmbown:mainfrom
bistack:fix/cargo-audit-deps
Jul 10, 2026
Merged

fix: upgrade dependencies to resolve cargo-audit vulnerabilities#4328
Hmbown merged 1 commit into
Hmbown:mainfrom
bistack:fix/cargo-audit-deps

Conversation

@bistack

@bistack bistack commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Summary

Upgrade dependencies to fix security vulnerabilities found by cargo-audit:

  • crossbeam-epoch 0.9.18 → 0.9.20 (fix RUSTSEC-2026-0204: invalid pointer dereference)
  • pdf-extract 0.10 → 0.12, lopdf 0.38.0 → 0.42.0 (fix RUSTSEC-2026-0187: stack overflow)
  • ttf-parser 0.25.1 remains (unmaintained warning, no upgrade available from lopdf)

Testing

  • cargo audit: 2 vulnerabilities fixed, 1 warning remaining
  • cargo check --workspace: compiles successfully

- crossbeam-epoch 0.9.18 -> 0.9.20 (fix RUSTSEC-2026-0204)
- pdf-extract 0.10 -> 0.12, lopdf 0.38.0 -> 0.42.0 (fix RUSTSEC-2026-0187)
- ttf-parser 0.25.1 remains (unmaintained warning, no upgrade available)
@bistack bistack requested a review from Hmbown as a code owner July 10, 2026 02:47
@github-actions

Copy link
Copy Markdown

Thanks @bistack for taking the time to contribute.

This repository is observing a maintainer-managed PR intake gate in dry-run mode, so this pull request is staying open. This note helps maintainers prepare the allowlist before any enforcement is considered.

Please read CONTRIBUTING.md for the expected contribution shape. A maintainer can grant recurring PR access by commenting /lgtm on a pull request.

@Hmbown

Hmbown commented Jul 10, 2026

Copy link
Copy Markdown
Owner

/lgtm

@Hmbown Hmbown merged commit b83baf9 into Hmbown:main Jul 10, 2026
15 checks passed
@bistack bistack deleted the fix/cargo-audit-deps branch July 10, 2026 03:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants