Remediate high-severity Rust advisories via targeted lockfile upgrades by Copilot · Pull Request #12 · trimble-oss/OpenShell

Copilot · 2026-04-27T17:17:53Z

This repository was flagged for policy non-compliance due to open high-severity Dependabot vulnerabilities. This change set reduces the MUST-level security exposure by applying minimal, lockfile-only Rust dependency upgrades.

Security remediation (high-severity transitive deps)
- Updated Cargo.lock to pick up patched versions for vulnerable transitive crates.
- Upgraded:
  - aws-lc-rs 1.16.1 → 1.16.3
  - aws-lc-sys 0.38.0 → 0.40.0
  - rustls-webpki 0.103.9 → 0.103.13
Scope
- No source code changes.
- No manifest (Cargo.toml) changes.
- Single-file diff: Cargo.lock.

Representative lockfile delta

[[package]]
name = "aws-lc-sys"
version = "0.40.0"

[[package]]
name = "rustls-webpki"
version = "0.103.13"

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

api.example.com
- Triggering command: /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/openshell_sandbox-2f32c696cc9f1558 /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/openshell_sandbox-2f32c696cc9f1558 /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/openshell_policy-3c7a496138e�� /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/openshell_policy-3c7a496138e42544.2qth9vdfz8c8st4poy1tmuouc.0xhtmx4.rcgu.o tion-1fa693c8624bfced f860�� f8608f37f.0wrhda1am19tbjq5w2uusqveo.0iibkpr.rcgu.o f8608f37f.0xubxnyetfigtekbdr7y1wj7e.0iibkpr.rcgu.o nference-eae093f-m nference-eae093fcc nference-eae093f-m64 nference-eae093f/home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/rustc9DrOFt/symbols.o nference-eae093f/home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/openshell_policy-3c7a496138e42544.000h6rzbll2ks0q2l6odph3wy.0xhtmx4.rcgu.o nfer�� LFj/symbols.o 2dc07d6 lib/rustlib/x86_64-REDACTED-linux-gnu/bin/rust-lld :40823/connect/ssh --sandbox-id id-default-command --token test-token --gateway-name openshell l_router-83481aarev-parse l_router-83481aa--show-toplevel lib/rustlib/x86_64-REDACTED-linux-gnu/bin/rust-lld (dns block)
dns.google
- Triggering command: /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/openshell_sandbox-2f32c696cc9f1558 /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/openshell_sandbox-2f32c696cc9f1558 /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/openshell_policy-3c7a496138e�� /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/openshell_policy-3c7a496138e42544.2qth9vdfz8c8st4poy1tmuouc.0xhtmx4.rcgu.o tion-1fa693c8624bfced f860�� f8608f37f.0wrhda1am19tbjq5w2uusqveo.0iibkpr.rcgu.o f8608f37f.0xubxnyetfigtekbdr7y1wj7e.0iibkpr.rcgu.o nference-eae093f-m nference-eae093fcc nference-eae093f-m64 nference-eae093f/home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/rustc9DrOFt/symbols.o nference-eae093f/home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/openshell_policy-3c7a496138e42544.000h6rzbll2ks0q2l6odph3wy.0xhtmx4.rcgu.o nfer�� LFj/symbols.o 2dc07d6 lib/rustlib/x86_64-REDACTED-linux-gnu/bin/rust-lld :40823/connect/ssh --sandbox-id id-default-command --token test-token --gateway-name openshell l_router-83481aarev-parse l_router-83481aa--show-toplevel lib/rustlib/x86_64-REDACTED-linux-gnu/bin/rust-lld (dns block)
https://api.github.com/graphql
- Triggering command: /usr/bin/gh gh auth status (http block)
icanhazdadjoke.com
- Triggering command: /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/openshell_sandbox-2f32c696cc9f1558 /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/openshell_sandbox-2f32c696cc9f1558 /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/openshell_policy-3c7a496138e�� /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/openshell_policy-3c7a496138e42544.2qth9vdfz8c8st4poy1tmuouc.0xhtmx4.rcgu.o tion-1fa693c8624bfced f860�� f8608f37f.0wrhda1am19tbjq5w2uusqveo.0iibkpr.rcgu.o f8608f37f.0xubxnyetfigtekbdr7y1wj7e.0iibkpr.rcgu.o nference-eae093f-m nference-eae093fcc nference-eae093f-m64 nference-eae093f/home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/rustc9DrOFt/symbols.o nference-eae093f/home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/openshell_policy-3c7a496138e42544.000h6rzbll2ks0q2l6odph3wy.0xhtmx4.rcgu.o nfer�� LFj/symbols.o 2dc07d6 lib/rustlib/x86_64-REDACTED-linux-gnu/bin/rust-lld :40823/connect/ssh --sandbox-id id-default-command --token test-token --gateway-name openshell l_router-83481aarev-parse l_router-83481aa--show-toplevel lib/rustlib/x86_64-REDACTED-linux-gnu/bin/rust-lld (dns block)
mise.run
- Triggering command: /usr/bin/curl curl -fsSL REDACTED /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/ws_tunnel_integration-b2b4994208e0d682.0if9qll43nwkrsalnjbw9i08a.0dskbyi.rcgu.o /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/ws_tunnel_integration-b2b4994208e0d682.0kaicknwpkmaw42jubjgf8n2e.0dskbyi.rcgu.o /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/ws_tunnel_integration-b2b4994208e0d682.0kv4ejajy85u0q3ihe38xretc.0dskbyi.rcgu.o /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/ws_tunnel_integration-b2b4994208e0d682.0mst0zueyor9b5cinpm5g158b.0dskbyi.rcgu.o /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/ws_tunnel_integration-b2b4994208e0d682.0oh8ie0uz8h8upauzejc9wl3f.0dskbyi.rcgu.o /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/ws_tunnel_integration-b2b4994208e0d682.0p1a3sr4fk8zjf2h40smuu3v3.0dskbyi.rcgu.o /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/ws_tunnel_integration-b2b499�� /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/ws_tunnel_integration-b2b4994208e0d682.0smcvm64eqk9wcrbclsabc07f.0dskbyi.rcgu.o /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/ws_tunnel_integration-b2b4994208e0d682.0x6zqjubj6hgv95b83330ph2t.0dskbyi.rcgu.o musb�� b838ffdb5ec45/ru/home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/sqlx_macros-7c27127c0856git b838ffdb5ec45/bu/home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/sqlx_macros-7c27127c0856commit lib/rustlib/x86_64-REDACTED-linux-gnu/bin/cc b838ffdb5ec45/bucc d8 -1949cf8c6b5b557/home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/rustcDdfJ4G/symbols.o known-linux-gnu//home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/ws_tunnel_integration-b2b4994208e0d682.009b2561wk7smryz9efk7gbkm.0dskbyi.rcgu.o (dns block)
this-host-does-not-exist.invalid
- Triggering command: /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/openshell_sandbox-2f32c696cc9f1558 /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/openshell_sandbox-2f32c696cc9f1558 /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/openshell_policy-3c7a496138e�� /home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/openshell_policy-3c7a496138e42544.2qth9vdfz8c8st4poy1tmuouc.0xhtmx4.rcgu.o tion-1fa693c8624bfced f860�� f8608f37f.0wrhda1am19tbjq5w2uusqveo.0iibkpr.rcgu.o f8608f37f.0xubxnyetfigtekbdr7y1wj7e.0iibkpr.rcgu.o nference-eae093f-m nference-eae093fcc nference-eae093f-m64 nference-eae093f/home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/rustc9DrOFt/symbols.o nference-eae093f/home/REDACTED/work/OpenShell/OpenShell/target/debug/deps/openshell_policy-3c7a496138e42544.000h6rzbll2ks0q2l6odph3wy.0xhtmx4.rcgu.o nfer�� LFj/symbols.o 2dc07d6 lib/rustlib/x86_64-REDACTED-linux-gnu/bin/rust-lld :40823/connect/ssh --sandbox-id id-default-command --token test-token --gateway-name openshell l_router-83481aarev-parse l_router-83481aa--show-toplevel lib/rustlib/x86_64-REDACTED-linux-gnu/bin/rust-lld (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Agent-Logs-Url: https://github.com/trimble-oss/OpenShell/sessions/81677fcb-e61d-48d6-9d78-fe0265e1e8d8 Co-authored-by: jeff-at-trimble <215895768+jeff-at-trimble@users.noreply.github.com>

Initial plan

adee569

Copilot AI assigned Copilot and jeff-at-trimble Apr 27, 2026

Copilot started work on behalf of jeff-at-trimble April 27, 2026 17:17 View session

Copilot AI linked an issue Apr 27, 2026 that may be closed by this pull request

🚨 Policy Compliance Violation — Action Required #6

Open

fix(deps): patch high-severity Rust advisories in lockfile

478af55

Agent-Logs-Url: https://github.com/trimble-oss/OpenShell/sessions/81677fcb-e61d-48d6-9d78-fe0265e1e8d8 Co-authored-by: jeff-at-trimble <215895768+jeff-at-trimble@users.noreply.github.com>

Copilot AI changed the title ~~[WIP] Fix policy compliance violation regarding Dependabot vulnerabilities~~ Remediate high-severity Rust advisories via targeted lockfile upgrades Apr 27, 2026

Copilot AI requested a review from jeff-at-trimble April 27, 2026 17:37

Copilot finished work on behalf of jeff-at-trimble April 27, 2026 17:37

jeff-at-trimble marked this pull request as ready for review April 27, 2026 18:07

jeff-at-trimble merged commit d7caae3 into main Apr 27, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remediate high-severity Rust advisories via targeted lockfile upgrades#12

Remediate high-severity Rust advisories via targeted lockfile upgrades#12
jeff-at-trimble merged 2 commits intomainfrom
copilot/resolve-policy-compliance-violation

Copilot AI commented Apr 27, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

Copilot AI commented Apr 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Copilot AI commented Apr 27, 2026 •

edited

Loading