Skip to content

fix(deps): bump crossbeam-epoch to 0.9.20 (RUSTSEC-2026-0204)#174

Closed
andrei-hasna wants to merge 2 commits into
mainfrom
openloops/248ff941-b457-46e9-bfb0-1bc40f55c56a-cd1f8c3d/fe257f75-58f9-4ae0-9ac8-d10572fbf38d-96c55a3c
Closed

fix(deps): bump crossbeam-epoch to 0.9.20 (RUSTSEC-2026-0204)#174
andrei-hasna wants to merge 2 commits into
mainfrom
openloops/248ff941-b457-46e9-bfb0-1bc40f55c56a-cd1f8c3d/fe257f75-58f9-4ae0-9ac8-d10572fbf38d-96c55a3c

Conversation

@andrei-hasna

Copy link
Copy Markdown
Contributor

Summary

Resolves the cargo-deny advisories FAILED on main.

crossbeam-epoch 0.9.18 is affected by RUSTSEC-2026-0204 ("Invalid pointer dereference in fmt::Pointer impl"). It is pulled in transitively via crossbeam-dequeignore/rayoncodex-file-search and other workspace crates. The advisory is fixed in >=0.9.20, so this is a lockfile-only bump (cargo update -p crossbeam-epoch, 0.9.18 → 0.9.20). No source changes; no deny.toml ignore added, since a fixed release exists.

Evidence

  • Failing run: https://github.com/hasna/codewith/actions/runs/28829807853
  • Job: cargo-deny (85500994028) — final result advisories FAILED, bans ok, licenses ok, sources ok
  • Head SHA at failure: 3c77b665654ddb7ee706423859c114e8a51dc6d2 (current main tip)
  • Advisory: RUSTSEC-2026-0204, solution >=0.9.20

Validation (local)

Toolchain 1.96.1, cargo-deny 0.19.8:

  • cargo deny --manifest-path Cargo.toml check advisoriesadvisories ok
  • cargo deny checkadvisories ok, bans ok, licenses ok, sources ok
  • cargo tree -i crossbeam-epoch → single node v0.9.20 (no duplicate/older version remains)
  • git diff --stat → only codex-rs/Cargo.lock changed (2 insertions, 2 deletions)

Note

This branch also carries a pre-existing unrelated commit test(providers): update stale fallback/tool assertions to match refreshed catalog, preserved from the worktree base per task guidance (not dropped). The cargo-deny fix itself is the single lockfile commit above.

🤖 Generated with Claude Code

…shed catalog

Commit #101 (5faaf4a) intentionally refreshed provider catalog metadata
and fallbacks but left three assertions pinned to pre-refresh expectations:

- codex-api parses_nvidia_models_response: deepseek-v4-flash now advertises
  tools (consistent with the direct DeepSeek provider and the passing
  nvidia_deepseek_v4_models_support_tools test), so expect ["tools"].
- app-server anthropic_fallback_models_include_fable_default: claude-sonnet-5
  was added to the anthropic fallback list (len 4 -> 5).
- app-server cerebras_fallback_models_include_selectable_default: gemma-4-31b
  was added to the cerebras fallback list (len 2 -> 3).

Ground truth verified against known-provider-models tests that assert the
new models exist.
Fixes the cargo-deny advisories failure on main.

crossbeam-epoch 0.9.18 is affected by RUSTSEC-2026-0204 ("Invalid pointer dereference in fmt::Pointer impl"). It is pulled in transitively via crossbeam-deque -> ignore/rayon -> codex-file-search and workspace crates. The advisory is fixed in >=0.9.20; this updates both Cargo.lock and MODULE.bazel.lock metadata.

Evidence:

- Run:  https://github.com/hasna/codewith/actions/runs/28829807853

- Job:  cargo-deny (85500994028) -> "advisories FAILED"

- Head: 3c77b66

Validation:

- cargo tree -i crossbeam-epoch -> single node v0.9.20

- CARGO_HOME=/tmp/codewith-cargo-home cargo deny check advisories -> advisories ok

- bazel --output_user_root=/tmp/codewith-bazel-output-3 mod deps --disk_cache=/tmp/codewith-bazel-disk-cache --repo_contents_cache=/tmp/codewith-bazel-repo-contents-cache --repository_cache=/tmp/codewith-bazel-repo-cache --lockfile_mode=update -> MODULE.bazel.lock updated
@andrei-hasna

Copy link
Copy Markdown
Contributor Author

Closing as superseded by #208. Replacement #208 consolidates the current Rust dependency train and explicitly supersedes this PR. Please continue review on #208.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

code-reviewed Reviewed by Codewith

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant