chore(security): backport Cut 9 lockfile hygiene from loctree-suite#57
Conversation
…rom loctree-suite
- Verified workspace structure: 5 members (loctree, loctree-mcp, rmcp-common, report-leptos, report-wasm), root Cargo.lock is single source of truth.
- cargo update -p {lz4_flex, quinn-proto, rustls-webpki, aws-lc-rs, rustls}: 6 chirurgicznych bumps:
* aws-lc-rs 1.15.4 -> 1.16.3 (wciąga aws-lc-sys 0.37.1 -> 0.40.0)
* aws-lc-sys 0.37.1 -> 0.40.0 (RUSTSEC-2026-0044/0045/0046/0047/0048: name constraints, AES-CCM timing, PKCS7 verify, CRL scope)
* lz4_flex 0.11.5 -> 0.11.6 (RUSTSEC-2026-0041: uninit memory leak)
* quinn-proto 0.11.13 -> 0.11.14 (RUSTSEC-2026-0037: DoS)
* rustls 0.23.36 -> 0.23.39 (transitive bump podczas update)
* rustls-webpki 0.103.9 -> 0.103.13 (RUSTSEC-2026-0049/0098/0099/0104: CRL panic, name constraint accepts)
- Removed 4 orphan Cargo.lock files: loctree_rs/, loctree-mcp/, reports/, reports/wasm/
(wszystkie potwierdzone jako workspace members bez własnego [workspace] section).
- Updated .gitignore z patternami zapobiegającymi orphan re-creation.
- Verified: cargo check --workspace, cargo clippy --workspace --all-targets -D warnings, cargo test -p loctree --lib (1015 passed), cargo audit (12 -> 1 vuln).
- Pozostały 1 vuln: rsa 0.9.10 RUSTSEC-2023-0071 (Marvin Attack) — brak upstream patcha, identyczny stan jak loctree-suite po Cut 9.
- No source code changes. No Cargo.toml changes. No feature port from loctree-suite.
Authored-By: claude <agents@vetcoders.io>
There was a problem hiding this comment.
Code Review
This pull request updates several dependencies in the root Cargo.lock, including rustls and aws-lc-rs, and modifies the .gitignore to exclude orphan Cargo.lock files from workspace members. Feedback was provided regarding the incompleteness of the .gitignore list, specifically suggesting the addition of /rmcp-common/Cargo.lock and the use of leading slashes for path consistency.
| loctree_rs/Cargo.lock | ||
| loctree-mcp/Cargo.lock | ||
| reports/Cargo.lock | ||
| reports/wasm/Cargo.lock |
There was a problem hiding this comment.
The list of ignored orphan Cargo.lock files is incomplete. The workspace member rmcp-common (defined in the root Cargo.toml) should also have its lockfile ignored to maintain workspace hygiene and prevent redundant Dependabot alerts. Additionally, using a leading slash for these paths would be consistent with the rest of the .gitignore file and ensures they are anchored to the repository root.
/loctree_rs/Cargo.lock
/loctree-mcp/Cargo.lock
/rmcp-common/Cargo.lock
/reports/Cargo.lock
/reports/wasm/Cargo.lock
Summary
Single-commit backport of
loctree-suiteCut 9 security hygiene work to the public mirror. Zero source-code changes. Zero version bumps. Zero feature port. Pure lockfile cleanup.Inventory
Live Dependabot snapshot pre-Cut-9-port: 12 vulnerabilities flagged on
loctree-ast(subset of org-wide 62, after Suite-side cleanup absorbed many duplicates).Patches
Patch A — root
Cargo.lockchirurgical bumps (6 packages, 11 of 12 vulns addressed):aws-lc-rs/aws-lc-sys— CRL Distribution Point Scope, X.509 Name Constraints Bypass, PKCS7_verify (Sig + Cert Chain), AES-CCM Tag Timing Side-Channellz4_flex— info leak in decompressionquinn-proto— unauthenticated remote DoS via panic in QUIC transportrustls/rustls-webpki— DoS via panic on malformed CRL BIT STRING + CRL authority bugPatch B — orphan
Cargo.lockcleanup (4 files removed):loctree_rs/Cargo.lockloctree-mcp/Cargo.lockreports/Cargo.lockreports/wasm/Cargo.lockAll 4 verified as workspace members (no own
[workspace]section,cargo metadataresolves to root). Workspace memberCargo.lockfiles are ignored by cargo at build time but Dependabot/cargo-audit/Snyk each read them separately → duplicate alerts. Hygiene principle: 1 lockfile per workspace.Patch C —
.gitignorerecidivism guard:Verification
cargo check --workspace✅cargo clippy --workspace --all-targets -- -D warnings✅cargo test -p loctree --lib→ 1015 passed / 0 failed ✅cargo audit→ 12 → 1 vulnerability (onlyrsa 0.9.10RUSTSEC-2023-0071 Marvin Attack remains; no upstream patch available — same residual asloctree-suiteafter its Cut 9)Boundary
loctree_rs/src/**, noloctree-mcp/src/**, noCargo.tomlversion = "..."lines untouchedrsa 0.9.10(Marvin Attack) — identical state to loctree-suite, awaits upstream fixBonus insights captured
cargo update -p Xonly sees default-feature graph. Optional deps (e.g.aws-lc-sysbehindmemexfeature) fail withdid not match. Workaround: bump parent crate (aws-lc-rs) which declares semver for problem dep.Cargo.lockin members is silent for cargo (build doesn't use them) but Dependabot/cargo-audit/Snyk each read all of them. Hygiene = 1 lockfile + gitignore as recidivism guard.Test plan
gh api orgs/Loctree/dependabot/alerts?state=open | jq '[.[] | select(.repository.name == "loctree-ast")] | length'returns ≤1 (only Marvin Attack rsa, until upstream patch)Reference
Sister PR (loctree-suite): https://github.com/Loctree/loctree-suite/pull/16 (merged → develop as
213e9f02)