Skip to content

chore(security): backport Cut 9 lockfile hygiene from loctree-suite#57

Merged
Szowesgad merged 1 commit into
mainfrom
chore/security-hygiene-port
Apr 28, 2026
Merged

chore(security): backport Cut 9 lockfile hygiene from loctree-suite#57
Szowesgad merged 1 commit into
mainfrom
chore/security-hygiene-port

Conversation

@Szowesgad

Copy link
Copy Markdown
Contributor

Summary

Single-commit backport of loctree-suite Cut 9 security hygiene work to the public mirror. Zero source-code changes. Zero version bumps. Zero feature port. Pure lockfile cleanup.

Inventory

Live Dependabot snapshot pre-Cut-9-port: 12 vulnerabilities flagged on loctree-ast (subset of org-wide 62, after Suite-side cleanup absorbed many duplicates).

Patches

Patch A — root Cargo.lock chirurgical bumps (6 packages, 11 of 12 vulns addressed):

  • aws-lc-rs / aws-lc-sys — CRL Distribution Point Scope, X.509 Name Constraints Bypass, PKCS7_verify (Sig + Cert Chain), AES-CCM Tag Timing Side-Channel
  • lz4_flex — info leak in decompression
  • quinn-proto — unauthenticated remote DoS via panic in QUIC transport
  • rustls / rustls-webpki — DoS via panic on malformed CRL BIT STRING + CRL authority bug

Patch B — orphan Cargo.lock cleanup (4 files removed):

  • loctree_rs/Cargo.lock
  • loctree-mcp/Cargo.lock
  • reports/Cargo.lock
  • reports/wasm/Cargo.lock

All 4 verified as workspace members (no own [workspace] section, cargo metadata resolves to root). Workspace member Cargo.lock files are ignored by cargo at build time but Dependabot/cargo-audit/Snyk each read them separately → duplicate alerts. Hygiene principle: 1 lockfile per workspace.

Patch C — .gitignore recidivism guard:

loctree_rs/Cargo.lock
loctree-mcp/Cargo.lock
reports/Cargo.lock
reports/wasm/Cargo.lock

Verification

  • cargo check --workspace
  • cargo clippy --workspace --all-targets -- -D warnings
  • cargo test -p loctree --lib1015 passed / 0 failed
  • cargo audit → 12 → 1 vulnerability (only rsa 0.9.10 RUSTSEC-2023-0071 Marvin Attack remains; no upstream patch available — same residual as loctree-suite after its Cut 9)
  • Pre-push hook (11/11 steps) ✅

Boundary

  • Zero source changes: no loctree_rs/src/**, no loctree-mcp/src/**, no Cargo.toml
  • Zero version bumps: all version = "..." lines untouched
  • Zero feature port: no Cut 3/4/5/6/7/8 work from loctree-suite brought in
  • Residual: rsa 0.9.10 (Marvin Attack) — identical state to loctree-suite, awaits upstream fix

Bonus insights captured

  1. Feature-gated dep update gotcha: cargo update -p X only sees default-feature graph. Optional deps (e.g. aws-lc-sys behind memex feature) fail with did not match. Workaround: bump parent crate (aws-lc-rs) which declares semver for problem dep.
  2. Workspace lockfile single-source-of-truth: Orphan Cargo.lock in members is silent for cargo (build doesn't use them) but Dependabot/cargo-audit/Snyk each read all of them. Hygiene = 1 lockfile + gitignore as recidivism guard.

Test plan

  • CI green (whatever loctree-ast runs on PR)
  • After merge: gh api orgs/Loctree/dependabot/alerts?state=open | jq '[.[] | select(.repository.name == "loctree-ast")] | length' returns ≤1 (only Marvin Attack rsa, until upstream patch)

Reference

Sister PR (loctree-suite): https://github.com/Loctree/loctree-suite/pull/16 (merged → develop as 213e9f02)

…rom loctree-suite

- Verified workspace structure: 5 members (loctree, loctree-mcp, rmcp-common, report-leptos, report-wasm), root Cargo.lock is single source of truth.
- cargo update -p {lz4_flex, quinn-proto, rustls-webpki, aws-lc-rs, rustls}: 6 chirurgicznych bumps:
  * aws-lc-rs 1.15.4 -> 1.16.3 (wciąga aws-lc-sys 0.37.1 -> 0.40.0)
  * aws-lc-sys 0.37.1 -> 0.40.0 (RUSTSEC-2026-0044/0045/0046/0047/0048: name constraints, AES-CCM timing, PKCS7 verify, CRL scope)
  * lz4_flex 0.11.5 -> 0.11.6 (RUSTSEC-2026-0041: uninit memory leak)
  * quinn-proto 0.11.13 -> 0.11.14 (RUSTSEC-2026-0037: DoS)
  * rustls 0.23.36 -> 0.23.39 (transitive bump podczas update)
  * rustls-webpki 0.103.9 -> 0.103.13 (RUSTSEC-2026-0049/0098/0099/0104: CRL panic, name constraint accepts)
- Removed 4 orphan Cargo.lock files: loctree_rs/, loctree-mcp/, reports/, reports/wasm/
  (wszystkie potwierdzone jako workspace members bez własnego [workspace] section).
- Updated .gitignore z patternami zapobiegającymi orphan re-creation.
- Verified: cargo check --workspace, cargo clippy --workspace --all-targets -D warnings, cargo test -p loctree --lib (1015 passed), cargo audit (12 -> 1 vuln).
- Pozostały 1 vuln: rsa 0.9.10 RUSTSEC-2023-0071 (Marvin Attack) — brak upstream patcha, identyczny stan jak loctree-suite po Cut 9.
- No source code changes. No Cargo.toml changes. No feature port from loctree-suite.

Authored-By: claude <agents@vetcoders.io>

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates several dependencies in the root Cargo.lock, including rustls and aws-lc-rs, and modifies the .gitignore to exclude orphan Cargo.lock files from workspace members. Feedback was provided regarding the incompleteness of the .gitignore list, specifically suggesting the addition of /rmcp-common/Cargo.lock and the use of leading slashes for path consistency.

Comment thread .gitignore
Comment on lines +89 to +92
loctree_rs/Cargo.lock
loctree-mcp/Cargo.lock
reports/Cargo.lock
reports/wasm/Cargo.lock

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The list of ignored orphan Cargo.lock files is incomplete. The workspace member rmcp-common (defined in the root Cargo.toml) should also have its lockfile ignored to maintain workspace hygiene and prevent redundant Dependabot alerts. Additionally, using a leading slash for these paths would be consistent with the rest of the .gitignore file and ensures they are anchored to the repository root.

/loctree_rs/Cargo.lock
/loctree-mcp/Cargo.lock
/rmcp-common/Cargo.lock
/reports/Cargo.lock
/reports/wasm/Cargo.lock

@Szowesgad Szowesgad merged commit e3b15c9 into main Apr 28, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant