Skip to content

Clear post-merge OSV advisories (cxx, Go stdlib, cgmath)#349

Merged
ciaranra merged 2 commits into
devfrom
osv-advisory-cleanup-2026-07
Jul 11, 2026
Merged

Clear post-merge OSV advisories (cxx, Go stdlib, cgmath)#349
ciaranra merged 2 commits into
devfrom
osv-advisory-cleanup-2026-07

Conversation

@ciaranra

@ciaranra ciaranra commented Jul 11, 2026

Copy link
Copy Markdown
Member

Post-merge dependency hygiene: the OSV Scanner push-gate on dev went red after #347 merged, from 5 newly-disclosed advisories in transitive deps (all Unknown severity, none introduced by #347).

Advisory Package Action
RUSTSEC-2026-0202 cxx 1.0.194 bump lockfile → 1.0.195 (fixed)
GO-2026-4970, GO-2026-5856 Go stdlib bump go/pecos/go.modgo 1.26.5 (fixed)
RUSTSEC-2026-0196 cgmath 0.18.0 ignore — unmaintained; no fixed release
RUSTSEC-2026-0197 cgmath 0.18.0 ignore — unsound swap_columns(a, a) UB; no fixed release

cgmath triage: both are INFO-level, transitive via hugr-core → hugr → tket → pecos-hugr, and 0.18.0 is the latest release (no upstream fix). RUSTSEC-2026-0197 requires calling Matrix::swap_columns with identical indices, which only hugr/tket internals could do — PECOS never calls it. Suppressed in osv-scanner.toml with the standard chain/owner/reason, to re-check on a hugr/tket bump.

Verification: cargo tree resolves (cxx 1.0.195, cgmath 0.18.0); pecos-chromobius (cxx consumer) builds clean; osv-scanner.toml parses; go-version-consistency structural checks unaffected and go-test uses stable (≥ 1.26.5). CI OSV Scanner is authoritative.

Notes from review: (1) The lockfile diff is surgically restricted to the four cxx-family hunks — cargo update under cargo 1.97 also wants to re-normalize unrelated dependency edges (windows-sys/unicode-width/hashbrown/indexmap duplicates); that churn is benign but was excluded to keep this diff minimal, so expect it to reappear on the next full cargo update. (2) Pre-existing, not changed here: govulncheck inside the OSV scanner image has been silently skipping go/pecos since the go.mod directive passed 1.26.4 (image ships Go 1.26.2, GOTOOLCHAIN=local); lockfile-level stdlib matching still catches Go advisories, but code-level reachability analysis is absent until the scanner image ships a newer Go.

@ciaranra ciaranra merged commit 4672436 into dev Jul 11, 2026
64 checks passed
@ciaranra ciaranra deleted the osv-advisory-cleanup-2026-07 branch July 11, 2026 04:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant