Skip to content

fix(security): resolve all 40 dependabot alerts across cargo and npm#182

Merged
gabrielspadon merged 2 commits into
masterfrom
fix/dependabot-alerts
Jul 2, 2026
Merged

fix(security): resolve all 40 dependabot alerts across cargo and npm#182
gabrielspadon merged 2 commits into
masterfrom
fix/dependabot-alerts

Conversation

@gabrielspadon

Copy link
Copy Markdown
Collaborator

Resolves every open dependabot alert (6 high, 19 moderate, 15 low).

Rust

  • Migrate pyo3 0.18 to 0.29: Bound module registration with add_function, explicit signature attribute for receiver()'s Option parameters, drop the stale text_signature and the no-op generate-import-lib feature.
  • Bump tungstenite 0.21 to 0.29 in receiver and database_server, moving the websocket stack to rustls 0.23.41 with rustls-webpki 0.103.13.
  • Drop the unused tls feature of mproxy-forward, which pinned rustls 0.20 with the unpatchable ring 0.16 line; no tls:// upstream address is used anywhere in the codebase.
  • Refresh all four lockfiles, lifting bytes, tar, time, idna, tokio, rand, ring, and zip past their advisories.

npm

  • vite 5.4.21 to 6.4.3 in aisdb_web (brings esbuild 0.25.12), covering the vite and esbuild alerts.

Verification

  • Full cargo check --all-targets passes locally, including the build.rs pipeline (wasm-pack build of client_webassembly and the vite 6 build of aisdb_web dist maps). CI on this PR provides the cross-platform test run.

Mirrors the equivalent fixes already landed on AISdb-lite (68f7c364 there).

Rust: migrate pyo3 0.18 to 0.29 (Bound module registration, explicit signature for receiver's Option parameters, drop the no-op generate-import-lib feature and stale text_signature); bump tungstenite to 0.29 in receiver and database_server so the websocket stack uses rustls 0.23.41 with rustls-webpki 0.103.13; drop the unused tls feature of mproxy-forward, which pinned rustls 0.20 with the unpatchable ring 0.16 line (no tls:// address is used anywhere); refresh all four lockfiles, lifting bytes, tar, time, idna, tokio, rand, ring, and zip past their advisories. npm: bump vite to 6.4.3, which also brings esbuild 0.25. Verified with a full cargo check including the wasm-pack and vite build pipeline.
Copilot AI review requested due to automatic review settings July 2, 2026 16:20

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates Rust and npm dependencies to address all open Dependabot security alerts, including major-version upgrades to the PyO3 Python extension bindings and the Tungstenite/Rustls websocket stack, plus a Vite upgrade in the web frontend.

Changes:

  • Upgrade PyO3 from 0.18.x to 0.29.0, updating the module init/API surface to match new PyO3 patterns (Bound modules, explicit signatures).
  • Upgrade Tungstenite from 0.21 to 0.29 (receiver + database_server), adjusting websocket message construction for updated types.
  • Upgrade aisdb_web dev tooling by bumping Vite to 6.4.3 (and lockfile refresh including newer esbuild).

Reviewed changes

Copilot reviewed 7 out of 12 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
src/lib.rs Updates PyO3 integration: imports, function signature metadata, and module registration for PyO3 0.29.
receiver/src/receiver.rs Adapts websocket send code to Tungstenite 0.29 message types.
receiver/Cargo.toml Removes mproxy-forward TLS feature and bumps Tungstenite dependency.
database_server/src/aisdb_db_server.rs Adapts websocket Pong construction for Tungstenite 0.29 types.
database_server/Cargo.toml Bumps Tungstenite dependency.
database_server/Cargo.lock Refreshes lockfile for updated Rust dependencies in database_server.
Cargo.toml Bumps workspace PyO3 dependency and drops generate-import-lib feature.
Cargo.lock Refreshes workspace lockfile after Rust dependency upgrades.
aisdb_web/package.json Bumps Vite version requirement.
aisdb_web/package-lock.json Refreshes npm lockfile for Vite 6 / esbuild updates.
aisdb_lib/Cargo.lock Refreshes lockfile for updated Rust dependencies in aisdb_lib.
Files not reviewed (1)
  • aisdb_web/package-lock.json: Generated file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/lib.rs
Comment on lines 566 to 570
/// static_msg_bufsize (Option<usize>)
/// Number of static messages to keep before inserting into database.
/// Defaults to 64
/// tee (bool)
/// If True, raw input will be copied to stdout
@gabrielspadon gabrielspadon merged commit ca79e52 into master Jul 2, 2026
14 checks passed
@gabrielspadon gabrielspadon deleted the fix/dependabot-alerts branch July 2, 2026 16:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants