Skip to content

fix(deps): patch quinn-proto 0.11.14 -> 0.11.15 (RUSTSEC-2026-0185)#47

Merged
epicsagas merged 1 commit into
mainfrom
fix/audit-quinn-proto-rustsec-2026-0185
Jun 26, 2026
Merged

fix(deps): patch quinn-proto 0.11.14 -> 0.11.15 (RUSTSEC-2026-0185)#47
epicsagas merged 1 commit into
mainfrom
fix/audit-quinn-proto-rustsec-2026-0185

Conversation

@epicsagas

Copy link
Copy Markdown
Owner

Summary

Fixes the audit CI gate that was failing on every PR (#44, #46) due to RUSTSEC-2026-0185 in quinn-proto.

Change

Single lockfile bump: quinn-proto 0.11.14 -> 0.11.15.

quinn-proto reaches Cargo.lock via the reqwest 0.12 transitive tree (llm-kernel itself depends on reqwest 0.13), but it is not activated under any feature or targetcargo tree -i quinn-proto --all-features reports "nothing to print". So the vulnerable code is never compiled into any build; this is a defense-in-depth lockfile patch so the audit scanner no longer flags it.

Verification

  • cargo audit0 vulnerabilities, exit 0 (was: 1, RUSTSEC-2026-0185)
  • cargo build --all-features → clean
  • cargo test --all-features → 571 passed, 0 failed
  • Remaining 3 advisories are allowed unmaintained/unsound warnings (paste, rustls-pemfile, memmap2) — non-blocking, pre-existing

The remaining allowed warnings are out of scope here; this PR only clears the hard audit failure.

Resolves RUSTSEC-2026-0185 in quinn-proto, the advisory that was failing
the audit CI gate on every PR (#44, #46). quinn-proto reaches the
lockfile via the reqwest 0.12 tree but is not activated under any
feature/target combination (cargo tree -i reports nothing to print), so
this is a lockfile-only patch. Verified: cargo audit now reports 0
vulnerabilities (exit 0); cargo test --all-features green.
@epicsagas epicsagas merged commit 4a5bb9f into main Jun 26, 2026
22 checks passed
@epicsagas epicsagas deleted the fix/audit-quinn-proto-rustsec-2026-0185 branch June 26, 2026 13:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant