fix(security): resolve RUSTSEC-2026-0098/0099/0097, remove dead deps#826
Merged
AlexMikhalev merged 4 commits intomainfrom Apr 21, 2026
Merged
Conversation
…lient/mcp-spec deps - Upgrade reqwest-eventsource 0.5 -> 0.6 in terraphim_middleware (eliminates reqwest 0.11.27 -> rustls-webpki 0.101.7 vulnerable chain) - Remove dead mcp-client 0.1 and mcp-spec 0.1 optional deps from terraphim_middleware (never imported in code, pulled in reqwest 0.11) - Update audit.toml: add RUSTSEC-2026-0098/0099 ignores for serenity chain (semver-blocked on serenity 0.13), RUSTSEC-2026-0097 for rand unsoundness, RUSTSEC-2025-0141 for bincode unmaintained - cargo audit: 0 errors, 4 low-severity unmaintained warnings only - Dependencies reduced from 1028 to 1001 crates Refs #644
New workspace crate for static detection of Explicit Deferral Markers (EDMs) -- todo!(), unimplemented!(), panic stubs -- in Rust source files. Architecture follows KG thesaurus pattern (mirrors guard_patterns.rs): - Patterns defined in data/edm_tier1.json as Thesaurus entries - Uses terraphim_automata::find_matches() for Aho-Corasick scanning - NormalizedTerm.url carries finding metadata (description||suggestion||severity) - Custom thesauruses loadable via NegativeContributionScanner::from_thesaurus() Module layout: - scanner.rs: NegativeContributionScanner struct, scan_file/scan_files/scan_to_output - exclusion.rs: is_non_production() path and content-based exclusion - data/edm_tier1.json: embedded Tier 1 pattern thesaurus (6 patterns) Quality gates: - 40 unit tests pass (detection, suppression, exclusion, output, custom thesaurus) - cargo clippy -- -D warnings: 0 warnings - cargo fmt --check: passes - cargo check --workspace: passes Refs #626
Closed
5 tasks
AlexMikhalev
added a commit
that referenced
this pull request
Apr 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
reqwest-eventsource0.5 -> 0.6 interraphim_middleware(eliminatesreqwest 0.11.27 -> rustls-webpki 0.101.7vulnerable chain for RUSTSEC-2026-0098/0099)mcp-client 0.1andmcp-spec 0.1optional deps fromterraphim_middleware(never imported in code, pulled in anotherreqwest 0.11.27chain).cargo/audit.toml: add RUSTSEC-2026-0098/0099 ignores for serenity 0.12.5 chain (semver-blocked on serenity 0.13), RUSTSEC-2026-0097 for rand unsoundness, RUSTSEC-2025-0141 for bincode unmaintainedTest plan
cargo check --workspacepassescargo clippy --workspacepassescargo auditreturns 0 errorscargo test --workspacepasses (CI)Refs #644