fix(deps): bump crossbeam-epoch to 0.9.20 (RUSTSEC-2026-0204)#174
Closed
andrei-hasna wants to merge 2 commits into
Closed
Conversation
…shed catalog Commit #101 (5faaf4a) intentionally refreshed provider catalog metadata and fallbacks but left three assertions pinned to pre-refresh expectations: - codex-api parses_nvidia_models_response: deepseek-v4-flash now advertises tools (consistent with the direct DeepSeek provider and the passing nvidia_deepseek_v4_models_support_tools test), so expect ["tools"]. - app-server anthropic_fallback_models_include_fable_default: claude-sonnet-5 was added to the anthropic fallback list (len 4 -> 5). - app-server cerebras_fallback_models_include_selectable_default: gemma-4-31b was added to the cerebras fallback list (len 2 -> 3). Ground truth verified against known-provider-models tests that assert the new models exist.
Fixes the cargo-deny advisories failure on main.
crossbeam-epoch 0.9.18 is affected by RUSTSEC-2026-0204 ("Invalid pointer dereference in fmt::Pointer impl"). It is pulled in transitively via crossbeam-deque -> ignore/rayon -> codex-file-search and workspace crates. The advisory is fixed in >=0.9.20; this updates both Cargo.lock and MODULE.bazel.lock metadata.
Evidence:
- Run: https://github.com/hasna/codewith/actions/runs/28829807853
- Job: cargo-deny (85500994028) -> "advisories FAILED"
- Head: 3c77b66
Validation:
- cargo tree -i crossbeam-epoch -> single node v0.9.20
- CARGO_HOME=/tmp/codewith-cargo-home cargo deny check advisories -> advisories ok
- bazel --output_user_root=/tmp/codewith-bazel-output-3 mod deps --disk_cache=/tmp/codewith-bazel-disk-cache --repo_contents_cache=/tmp/codewith-bazel-repo-contents-cache --repository_cache=/tmp/codewith-bazel-repo-cache --lockfile_mode=update -> MODULE.bazel.lock updated
andrei-hasna
force-pushed
the
openloops/248ff941-b457-46e9-bfb0-1bc40f55c56a-cd1f8c3d/fe257f75-58f9-4ae0-9ac8-d10572fbf38d-96c55a3c
branch
from
July 7, 2026 03:07
bc7ccf2 to
009d1e2
Compare
This was referenced Jul 7, 2026
Contributor
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves the
cargo-denyadvisories FAILED onmain.crossbeam-epoch0.9.18 is affected by RUSTSEC-2026-0204 ("Invalid pointer dereference infmt::Pointerimpl"). It is pulled in transitively viacrossbeam-deque→ignore/rayon→codex-file-searchand other workspace crates. The advisory is fixed in>=0.9.20, so this is a lockfile-only bump (cargo update -p crossbeam-epoch, 0.9.18 → 0.9.20). No source changes; nodeny.tomlignore added, since a fixed release exists.Evidence
cargo-deny(85500994028) — final resultadvisories FAILED, bans ok, licenses ok, sources ok3c77b665654ddb7ee706423859c114e8a51dc6d2(currentmaintip)>=0.9.20Validation (local)
Toolchain 1.96.1, cargo-deny 0.19.8:
cargo deny --manifest-path Cargo.toml check advisories→ advisories okcargo deny check→ advisories ok, bans ok, licenses ok, sources okcargo tree -i crossbeam-epoch→ single node v0.9.20 (no duplicate/older version remains)git diff --stat→ onlycodex-rs/Cargo.lockchanged (2 insertions, 2 deletions)Note
This branch also carries a pre-existing unrelated commit
test(providers): update stale fallback/tool assertions to match refreshed catalog, preserved from the worktree base per task guidance (not dropped). The cargo-deny fix itself is the single lockfile commit above.🤖 Generated with Claude Code