Skip to content

fix(deps): bump rustls-webpki to 0.103.13 (RUSTSEC-2026-0104)#107

Merged
jdx merged 1 commit intomainfrom
fix/rustls-webpki-audit
Apr 23, 2026
Merged

fix(deps): bump rustls-webpki to 0.103.13 (RUSTSEC-2026-0104)#107
jdx merged 1 commit intomainfrom
fix/rustls-webpki-audit

Conversation

@jdx
Copy link
Copy Markdown
Owner

@jdx jdx commented Apr 23, 2026
edited by cursor Bot
Loading

Summary

  • Bump rustls-webpki 0.103.12 → 0.103.13 in Cargo.lock to address RUSTSEC-2026-0104 (reachable panic in certificate revocation list parsing), flagged by cargo audit in CI.

Test plan

  • cargo build succeeds
  • cargo audit passes in CI

🤖 Generated with Claude Code

Note

Low Risk
Low code-change risk since this is a lockfile-only dependency bump, but it affects TLS certificate validation behavior and should be verified in CI to avoid unexpected runtime differences.

Overview
Updates Cargo.lock to bump rustls-webpki from 0.103.12 to 0.103.13 (checksum updated) to pick up the security fix referenced by RUSTSEC-2026-0104.

Reviewed by Cursor Bugbot for commit 28c6a88. Bugbot is set up for automated code reviews on this repo. Configure here.

@jdx @claude
fix(deps): bump rustls-webpki to 0.103.13
28c6a88 
Addresses RUSTSEC-2026-0104 (reachable panic in certificate revocation
list parsing) flagged by cargo audit.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
@greptile-apps
Copy link
Copy Markdown

greptile-apps Bot commented Apr 23, 2026

No reviewable files after applying ignore patterns.

@jdx jdx enabled auto-merge (squash) April 23, 2026 16:52
@jdx jdx merged commit 536b3d5 into main Apr 23, 2026
6 checks passed
@jdx jdx deleted the fix/rustls-webpki-audit branch April 23, 2026 16:52
@jdx jdx mentioned this pull request Apr 23, 2026
Merged
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 23, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.08%. Comparing base (e82e22c) to head (28c6a88).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #107   +/-   ##
=======================================
  Coverage   94.08%   94.08%           
=======================================
  Files          26       26           
  Lines        4055     4055           
  Branches     4055     4055           
=======================================
  Hits         3815     3815           
  Misses        155      155           
  Partials       85       85

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the rustls-webpki dependency in Cargo.lock from version 0.103.12 to 0.103.13. I have no feedback to provide.

jdx added a commit that referenced this pull request Apr 23, 2026
@jdx @autofix-ci
v1.0.3: UTF-8 boundary fix + rustls-webpki security bump (#108)
8c2d1d5 
A small patch release that fixes a panic when generating notes against
releases with multi-byte characters in their bodies, and picks up a
security fix in `rustls-webpki`.

## Fixed

- **Don't panic on multi-byte chars in style-reference bodies** —
`communique generate` truncates each recent release body to 3072 bytes
to keep the prompt small, but previously sliced `&body[..3072]`
directly. If byte 3072 fell inside a multi-byte UTF-8 character (common
with em-dashes, which are 3 bytes), the command would panic with `byte
index 3072 is not a char boundary`. The truncation now walks back to the
nearest char boundary before slicing, with a regression test covering
the case. ([#113](#113)) (@jdx)

## Security

- **`rustls-webpki` bumped to 0.103.13** — Addresses
[RUSTSEC-2026-0104](https://rustsec.org/advisories/RUSTSEC-2026-0104), a
reachable panic in certificate revocation list parsing. Lockfile-only
change. ([#107](#107)) (@jdx)

## Docs

- Added a dismissible cross-site announcement banner and an en.dev
footer to the documentation site, with follow-up polish (contrast,
centering, z-index), smarter caching, and `ResizeObserver`-based height
syncing so VitePress's nav offset stays correct on resize.
([#109](#109),
[#110](#110),
[#111](#111),
[#112](#112)) (@jdx)

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jdx