chore(deps): bump rustls-webpki from 0.103.10 to 0.103.13 in /src-tauri by dependabot[bot] · Pull Request #4 · t41372/PathKeep

dependabot · 2026-04-22T03:00:42Z

Bumps rustls-webpki from 0.103.10 to 0.103.13.

Release notes

Sourced from rustls-webpki's releases.

0.103.13

Fix reachable panic in parsing a CRL. This was reported to us as GHSA-82j2-j2ch-gfr8. Users who don't use CRLs are not affected.

For name constraints on URI names, we incorrectly processed excluded subtrees in a way which inverted the desired meaning. See rustls/webpki#471. This was a case missing in the fix for GHSA-965h-392x-2mh5.

What's Changed

Actually fail closed for URI matching against excluded subtrees by @djc in rustls/webpki#473

Prepare 0.103.13 by @ctz in rustls/webpki#474

Full Changelog: rustls/webpki@v/0.103.12...v/0.103.13

0.103.12

This release fixes two bugs in name constraint enforcement:

GHSA-965h-392x-2mh5: name constraints for URI names were ignored and therefore accepted. URI name constraints are now rejected unconditionally. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.

GHSA-xgp8-3hg3-c2mh: permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, these bugs are reachable only after signature verification and require misissuance to exploit.

What's Changed

Prepare 0.103.12 by @djc in rustls/webpki#470

Full Changelog: rustls/webpki@v/0.103.11...v/0.103.12

0.103.11

In response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.

What's Changed

Backport parsing trust anchors with unknown critical extensions to 0.103 by @djc in rustls/webpki#466

Commits

2879b2c Prepare 0.103.13
2c49773 Improve tests for padding of BitStringFlags
4e3c0b3 Correct validation of BIT STRING constraints
39c91d2 Actually fail closed for URI matching against excluded subtrees
27131d4 Bump version to 0.103.12
6ecb876 Clean up stuttery enum variant names
318b3e6 Ignore wildcard labels when matching name constraints
1219622 Rewrite constraint matching to avoid permissive catch-all branch
57bc62c Bump version to 0.103.11
d0fa01e Allow parsing trust anchors with unknown criticial extensions
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [rustls-webpki](https://github.com/rustls/webpki) from 0.103.10 to 0.103.13. - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) --- updated-dependencies: - dependency-name: rustls-webpki dependency-version: 0.103.13 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

… i18n Why - Codex review flagged three Blocking/High issues against feat/v0.3-redesign-2: (1) the ⌘K palette in shell.tsx sent `{ search, limit, offset }` to query_history and tried to read `response.rows`, but the real contract is `{ q, page, cursor, ... }` returning `items`. Result: palette searches were silently empty on desktop, and the existing tests had been mocking the wrong shape. (2) Paper UI still leaked raw English copy (char/chars counter, "Remove tag {tag}" aria, "Calendar" dialog label, "now"/"first" year-rail footers, dashboard greetings). i18n is a shipping contract, not polish. (3) Theme was held twice — once by the shell as a private useState, once by Settings → Appearance via applyPaperPreferences. Toggling one didn't update the other, so the buttons drifted. What - shell.tsx: palette now calls `backend.queryHistory({ q, limit, sort })` and maps `response.items` with the real HistoryEntry shape (id/url/ domain/title/visitedAt/visitTime). Removed the orphan PaletteRow interface. shell.test.tsx mocks `backend.queryHistory` with valid HistoryQueryResponse fixtures instead of the legacy rows shape. - i18n: added 3-language entries for the paper detail panel's char counter (singular + plural template), the remove-tag aria label, the calendar dialog aria, the year-rail now/first footer captions, and the dashboard morning/afternoon/evening greetings. The dashboard's hand-rolled greeting map is gone — it now reads `dashboard.greetingMorning/Afternoon/Evening` like every other copy in that route. PaperDetailPanelCopy + PaperCalendarPopoverCopy + PaperYearRailProps + paper-view.tsx copy interface all gained the new keys; buildPaperDetailPanelCopy + buildPaperContactSheetCopy thread them through. i18n parity 100% (2798 keys × 3 locales). - paper-preferences.ts: applyPaperPreferences now dispatches a `pathkeep.paperPreferencesChanged` CustomEvent (with the resolved preferences in `detail.preferences`) after applying + persisting. shell.tsx subscribes to that event so the topbar theme button stays in sync with Settings → Appearance toggles; settings/appearance- section.tsx subscribes too so flipping theme via the shell button updates the radio without re-mount. shell.tsx's handleToggleTheme now routes through applyPaperPreferences instead of mutating a private useState — single source of truth, one persist call. Context - Codex findings #1, #5, #6. Findings #2 (paper pagination), #3 (og:image fetch trigger), #4 (coverage gate restoration) tracked separately and remain pending in BACKLOG. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…age gate Why - Codex review flagged three more issues: (2) Paper Explorer Browse exposed no pagination — the underlying useExplorerUrlState had `goToHistoryPage` / `setHistoryPageSize` handlers, but the paper UI dropped them. For a 1440 M-row archive this caps the user at the first response page (≤200 rows). (3) Card-mode og:image cache only loaded existing rows — there was no production path that enqueued a fetch for cache-miss URLs, so a fresh archive permanently rendered favicons. (4) `check:coverage` ran `coverage:rust:quality` (a triage slice) not the accepted full-scope `coverage:rust`. That's an unauthorised gate weakening vs. docs/plan/program/quality-matrix.md. What - PaperContactSheet: new optional `pagination` prop renders a footer with newer/older buttons (paper goes newest → oldest, so "next" is the older direction), a "page X of Y · N rows" summary, and a rows-per-page selector. Disabled buttons clamp at archive bounds. Footer omitted entirely when route doesn't supply pagination (e.g. the day-only insight surface). - PaperExplorerView + Explorer route: thread the new pagination descriptor through from useExplorerUrlState's existing handleNextHistoryPage / handlePreviousHistoryPage / setHistoryPageSize handlers. `visibleTimeResults` carries the authoritative page / pageCount / total / hasNext / hasPrevious; the footer reads them. - i18n: 5 new keys across all three locales — paginationOlder, Newer, Summary, SummaryPending, PageSizeLabel. 2803 keys × 3 locales, parity 100%. - use-explorer-og-images.ts: after `loadHistoryOgImages` resolves, the hook now diffs the response and enqueues `triggerOgImageRefetch(batch)` for URLs that came back with a non-`ok` status (missing or never-cached). Bounded at 20 URLs per render so the worker pool can't be stampeded; `enqueuedFetchRef` prevents re-enqueuing within the same cache epoch. The promise's .catch swallows rate-limit / disabled-fetch rejections silently — the Rust worker persists negative-cache rows on its own. - og_images_fetch.rs: extracted `read_capped_bytes<R: Read>` from `read_response_body` so the body-read fall-throughs (Io error, TooLarge) can be unit-tested directly with synthetic Read impls, closing line 336 of the production source. Three new cargo tests: errors-mid-stream → Io, oversize → TooLarge, short stream → Ok. - package.json: check:coverage now calls `coverage:rust` (full scope), not the `:quality` triage slice. The Rust full gate still has ~20 uncovered defensive lines (worker pool mutex poison, sender disconnect, mid-stream Io in the live HTTP pipeline) — those surface on `bun run check` so a release gate failure is honest. Coverage delta - JS: unchanged at 99.71 stmts / 98.89 branches / 99.77 funcs / 99.89 lines (existing threshold still 99/99/98/99 pending the separate JS residual sweep). - Rust full scope: 12 → 7 uncovered lines in og_images_fetch.rs. archive_flows.rs worker pool internals (13 lines) still need an integration harness — tracked in WORK-V03-RUST-COVERAGE-RESIDUAL. Context - Codex findings #2, #3, #4. Codex flagged the gate-weakening change as a merge blocker — the check:coverage script is now restored to full coverage. The remaining residual is documented in BACKLOG and the gate fails until it closes, which matches the codex requirement of "merge 前必須恢復". Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Why - Codex review on 2026-05-21 raised six findings against feat/v0.3-redesign-2. Five are now closed (palette contract, i18n raw copy, theme dual state, paper pagination, og:image fetch trigger); the gate-restoration finding stays blocked until the Rust line residual closes. Document the closeouts + the remaining residual shape so the next session can pick up cleanly. What - BACKLOG: new WORK-V03-CODEX-REVIEW-FOLLOWUP block with per-finding status, commit references, and the explicit "merge blocker" call-out on #4 (full coverage gate restoration). - WORK-V03-RUST-COVERAGE-RESIDUAL: updated with this session's progress (check:coverage restored to coverage:rust full, annotations 4 lines closed, og_images.rs row-mapper closure now exercised, og_images_fetch utf8 + absolutize + read_capped_bytes extractions). Residual list refreshed to the current line numbers: 7 in og_images_fetch + 13 in archive_flows worker pool internals. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Apr 22, 2026

t41372 merged commit de3184a into main Apr 22, 2026

dependabot Bot deleted the dependabot/cargo/src-tauri/rustls-webpki-0.103.13 branch April 22, 2026 03:02

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump rustls-webpki from 0.103.10 to 0.103.13 in /src-tauri#4

chore(deps): bump rustls-webpki from 0.103.10 to 0.103.13 in /src-tauri#4
t41372 merged 1 commit into
mainfrom
dependabot/cargo/src-tauri/rustls-webpki-0.103.13

dependabot Bot commented on behalf of github Apr 22, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github Apr 22, 2026

0.103.13

What's Changed

0.103.12

What's Changed

0.103.11

What's Changed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant