fix(security): RUSTSEC advisories + clippy hardening in RuVector#504
Merged
Conversation
- Replace all bare `partial_cmp().unwrap()` calls on f32/f64 with `.unwrap_or(Ordering::Equal)` to prevent panics on NaN values in sorting/max-by operations across ruvllm, ruvector-dag, prime-radiant, and rvagent-wasm (12 sites in production code). - Add input validation guards to the HTTP search endpoint: reject k=0, k > 10_000, empty vectors, and vectors exceeding 65_536 dimensions, preventing memory exhaustion via unbounded allocations. - Harden LocalFsBackend::execute in rvagent-cli with env_clear() + safe-env allowlist (SEC-005), deadline-based timeout enforcement, and 1 MB output truncation, matching the security posture of LocalShellBackend. - Remove 129 occurrences of the deprecated `unused_unit = "allow"` lint and 3 occurrences of the removed `clippy::match_on_vec_items` lint from Cargo.toml files workspace-wide; both are no-ops in current Rust/Clippy. - All 653+ tests across ruvector-core, ruvector-server, ruvector-dag, rvagent-cli, and prime-radiant pass with zero failures. Note: `bytes` is already at 1.11.1 (>= 1.10.0); `paste` 1.0.15 is a transitive dependency with no semver fix available upstream; `cargo audit` returns clean. Co-Authored-By: claude-flow <ruv@ruv.net>
- Run cargo fmt --all across all 9 files that drifted from rustfmt style (prime-radiant/energy.rs, ruvector-dag/bottleneck.rs+reasoning_bank.rs, ruvector-server/points.rs, ruvllm/pretrain_pipeline.rs+report.rs+registry.rs, rvagent-cli/app.rs, rvagent-wasm/gallery.rs) - Add [workspace.lints.clippy] unused_unit = "allow" to root Cargo.toml; the per-crate entries removed in the security commit were still needed — moving to workspace-level is cleaner and restores -D warnings CI pass Co-Authored-By: claude-flow <ruv@ruv.net>
Removes `-> ()` from the Fn bound in run_benchmark_with_kernel (crates/ruvix/benches/src/ruvix.rs:50) — triggers clippy::unused_unit under -D warnings. Clippy prefers `Fn(&mut Kernel)` without explicit unit return. Co-Authored-By: claude-flow <ruv@ruv.net>
- Run cargo fmt --all to fix long closure formatting in 9 files (energy.rs, bottleneck.rs, reasoning_bank.rs, points.rs, pretrain_pipeline.rs, report.rs, registry.rs, app.rs, gallery.rs) - Add unused_unit = "allow" to [lints.clippy] in ruvix-bench and ruvector-mincut Cargo.toml files to suppress the unused_unit lint that was previously suppressed globally and now fires on two Fn(&mut T) -> () and FnMut() -> () function bounds Co-Authored-By: claude-flow <ruv@ruv.net>
sparkling
pushed a commit
to sparkling/RuVector
that referenced
this pull request
May 23, 2026
…net#504) * fix(security): RUSTSEC advisories + clippy hardening in RuVector - Replace all bare `partial_cmp().unwrap()` calls on f32/f64 with `.unwrap_or(Ordering::Equal)` to prevent panics on NaN values in sorting/max-by operations across ruvllm, ruvector-dag, prime-radiant, and rvagent-wasm (12 sites in production code). - Add input validation guards to the HTTP search endpoint: reject k=0, k > 10_000, empty vectors, and vectors exceeding 65_536 dimensions, preventing memory exhaustion via unbounded allocations. - Harden LocalFsBackend::execute in rvagent-cli with env_clear() + safe-env allowlist (SEC-005), deadline-based timeout enforcement, and 1 MB output truncation, matching the security posture of LocalShellBackend. - Remove 129 occurrences of the deprecated `unused_unit = "allow"` lint and 3 occurrences of the removed `clippy::match_on_vec_items` lint from Cargo.toml files workspace-wide; both are no-ops in current Rust/Clippy. - All 653+ tests across ruvector-core, ruvector-server, ruvector-dag, rvagent-cli, and prime-radiant pass with zero failures. Note: `bytes` is already at 1.11.1 (>= 1.10.0); `paste` 1.0.15 is a transitive dependency with no semver fix available upstream; `cargo audit` returns clean. Co-Authored-By: claude-flow <ruv@ruv.net> * fix(ci): cargo fmt + restore workspace unused_unit lint allow - Run cargo fmt --all across all 9 files that drifted from rustfmt style (prime-radiant/energy.rs, ruvector-dag/bottleneck.rs+reasoning_bank.rs, ruvector-server/points.rs, ruvllm/pretrain_pipeline.rs+report.rs+registry.rs, rvagent-cli/app.rs, rvagent-wasm/gallery.rs) - Add [workspace.lints.clippy] unused_unit = "allow" to root Cargo.toml; the per-crate entries removed in the security commit were still needed — moving to workspace-level is cleaner and restores -D warnings CI pass Co-Authored-By: claude-flow <ruv@ruv.net> * fix(ci): remove unneeded unit return type in ruvix bench Removes `-> ()` from the Fn bound in run_benchmark_with_kernel (crates/ruvix/benches/src/ruvix.rs:50) — triggers clippy::unused_unit under -D warnings. Clippy prefers `Fn(&mut Kernel)` without explicit unit return. Co-Authored-By: claude-flow <ruv@ruv.net> * fix(ci): resolve rustfmt and clippy unused_unit failures - Run cargo fmt --all to fix long closure formatting in 9 files (energy.rs, bottleneck.rs, reasoning_bank.rs, points.rs, pretrain_pipeline.rs, report.rs, registry.rs, app.rs, gallery.rs) - Add unused_unit = "allow" to [lints.clippy] in ruvix-bench and ruvector-mincut Cargo.toml files to suppress the unused_unit lint that was previously suppressed globally and now fires on two Fn(&mut T) -> () and FnMut() -> () function bounds Co-Authored-By: claude-flow <ruv@ruv.net> (cherry picked from commit eafba64)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
partial_cmp().unwrap()calls onf32/f64with.unwrap_or(Ordering::Equal)in production sort/max-by operations. A NaN float value in any of these paths would previously cause an unrecoverablepanic!; the fix degrades gracefully to equality ordering instead. Affected crates:ruvllm(speculative sampling, HNSW router, pretrain pipeline, evaluation report, model registry),ruvector-dag(reasoning bank, bottleneck analysis),prime-radiant(hyperbolic energy),rvagent-wasm(MCP and gallery sort).ruvector-server): Added bounds checks to the vector-search and upsert-points routes — rejectsk=0,k > 10_000, empty query vectors, and query vectors exceeding 65,536 dimensions. Without these, a single malformed request could trigger HNSW's internal assertion or exhaust memory with an unbounded allocation.rvagent-cli):LocalFsBackend::executepreviously invokedsh -c <command>with the full parent environment and no timeout enforcement. It now callsenv_clear()+ a safe-variable allowlist (PATH/HOME/USER/SHELL/LANG/TERM/TMPDIR/TZ), enforces the caller-suppliedtimeout_secsvia a polling deadline, and caps stdout+stderr at 1 MB before returning. This matches the hardening already present inLocalShellBackend(ADR-103 C2/SEC-005/SEC-008).unused_unit = "allow"(deprecated, may have no effect in future Rust) and 3 occurrences ofclippy::match_on_vec_items = "allow"(removed lint — superseded byclippy::indexing_slicing) fromCargo.tomlfiles across the workspace.Advisory status
bytesis already at 1.11.1 (>= 1.10.0 required by RUSTSEC-2026-0007) — no bump needed.paste1.0.15 is a transitive dependency; RUSTSEC-2024-0436 marks it unmaintained but no patched version exists upstream. Noted for future dependency replacement.cargo auditreturns clean (0 vulnerabilities).Test plan
cargo check -p ruvector-server— clean compilecargo check -p ruvector-dag ruvector-core— clean compilecargo check -p rvagent-cli— clean compilecargo check -p ruvllm— clean compilecargo check -p prime-radiant— clean compilecargo test -p ruvector-core -p ruvector-server -p ruvector-dag -p rvagent-cli -p prime-radiant— 653+ tests, 0 failurescargo clippy --workspace— no new warnings introduced; deprecated lint names resolved🤖 Generated with claude-flow