Skip to content

Bump rustls-webpki to 0.103.13 (RUSTSEC-2026-0104)#4357

Merged
squadgazzz merged 1 commit intomainfrom
fix/cargo-audit-rustls-webpki
Apr 22, 2026
Merged

Bump rustls-webpki to 0.103.13 (RUSTSEC-2026-0104)#4357
squadgazzz merged 1 commit intomainfrom
fix/cargo-audit-rustls-webpki

Conversation

@squadgazzz
Copy link
Copy Markdown
Contributor

@squadgazzz squadgazzz commented Apr 22, 2026
edited
Loading

Summary

  • cargo audit is currently failing on main due to RUSTSEC-2026-0104 — a reachable panic in rustls-webpki's CRL parsing (affected: 0.103.0..0.103.13).
  • rustls-webpki is a transitive dep (via rustls-platform-verifierreqwest); no direct manifest bump is needed. Ran cargo update -p rustls-webpki --precise 0.103.13 to move the lockfile from 0.103.120.103.13.
  • While re-resolving, cargo also deduped a few consumers onto windows-sys 0.60.2 and syn 1.0.109, both of which already existed in the lockfile on main — no new crate versions were introduced.

Test plan

  • CI green

@squadgazzz
Bump rustls-webpki to 0.103.13 (RUSTSEC-2026-0104)
84e14c9 
Patch-level update of the transitive `rustls-webpki` dep pulled in via
`rustls-platform-verifier` / `reqwest`. Fixes a reachable panic in CRL
parsing reported as RUSTSEC-2026-0104. Lockfile-only change; cargo
also dedupes a few already-present transitive versions while resolving.
@squadgazzz squadgazzz requested a review from a team as a code owner April 22, 2026 10:19
@squadgazzz squadgazzz enabled auto-merge April 22, 2026 10:22
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates several dependencies in Cargo.lock, including upgrading windows-sys to version 0.60.2 and rustls-webpki to 0.103.13, while downgrading syn to version 1.0.109. I have no feedback to provide.

@squadgazzz squadgazzz added this pull request to the merge queue Apr 22, 2026
Merged via the queue into main with commit 3f80656 Apr 22, 2026
22 checks passed
@squadgazzz squadgazzz deleted the fix/cargo-audit-rustls-webpki branch April 22, 2026 11:19
@github-actions github-actions Bot locked and limited conversation to collaborators Apr 22, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jmg-duarte jmg-duarte jmg-duarte approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@squadgazzz @jmg-duarte