fix(security): resolve all 40 dependabot alerts across cargo and npm#182
Merged
Conversation
Rust: migrate pyo3 0.18 to 0.29 (Bound module registration, explicit signature for receiver's Option parameters, drop the no-op generate-import-lib feature and stale text_signature); bump tungstenite to 0.29 in receiver and database_server so the websocket stack uses rustls 0.23.41 with rustls-webpki 0.103.13; drop the unused tls feature of mproxy-forward, which pinned rustls 0.20 with the unpatchable ring 0.16 line (no tls:// address is used anywhere); refresh all four lockfiles, lifting bytes, tar, time, idna, tokio, rand, ring, and zip past their advisories. npm: bump vite to 6.4.3, which also brings esbuild 0.25. Verified with a full cargo check including the wasm-pack and vite build pipeline.
There was a problem hiding this comment.
Pull request overview
This PR updates Rust and npm dependencies to address all open Dependabot security alerts, including major-version upgrades to the PyO3 Python extension bindings and the Tungstenite/Rustls websocket stack, plus a Vite upgrade in the web frontend.
Changes:
- Upgrade PyO3 from
0.18.xto0.29.0, updating the module init/API surface to match new PyO3 patterns (Bound modules, explicit signatures). - Upgrade Tungstenite from
0.21to0.29(receiver + database_server), adjusting websocket message construction for updated types. - Upgrade
aisdb_webdev tooling by bumping Vite to6.4.3(and lockfile refresh including newer esbuild).
Reviewed changes
Copilot reviewed 7 out of 12 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| src/lib.rs | Updates PyO3 integration: imports, function signature metadata, and module registration for PyO3 0.29. |
| receiver/src/receiver.rs | Adapts websocket send code to Tungstenite 0.29 message types. |
| receiver/Cargo.toml | Removes mproxy-forward TLS feature and bumps Tungstenite dependency. |
| database_server/src/aisdb_db_server.rs | Adapts websocket Pong construction for Tungstenite 0.29 types. |
| database_server/Cargo.toml | Bumps Tungstenite dependency. |
| database_server/Cargo.lock | Refreshes lockfile for updated Rust dependencies in database_server. |
| Cargo.toml | Bumps workspace PyO3 dependency and drops generate-import-lib feature. |
| Cargo.lock | Refreshes workspace lockfile after Rust dependency upgrades. |
| aisdb_web/package.json | Bumps Vite version requirement. |
| aisdb_web/package-lock.json | Refreshes npm lockfile for Vite 6 / esbuild updates. |
| aisdb_lib/Cargo.lock | Refreshes lockfile for updated Rust dependencies in aisdb_lib. |
Files not reviewed (1)
- aisdb_web/package-lock.json: Generated file
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
566
to
570
| /// static_msg_bufsize (Option<usize>) | ||
| /// Number of static messages to keep before inserting into database. | ||
| /// Defaults to 64 | ||
| /// tee (bool) | ||
| /// If True, raw input will be copied to stdout |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves every open dependabot alert (6 high, 19 moderate, 15 low).
Rust
npm
Verification
Mirrors the equivalent fixes already landed on AISdb-lite (68f7c364 there).