Skip to content

fix: Update Rust crypto dependencies for security vulnerabilities#82

Merged
GordonBeeming merged 2 commits intomainfrom
gb/fix-security-alerts
Mar 23, 2026
Merged

fix: Update Rust crypto dependencies for security vulnerabilities#82
GordonBeeming merged 2 commits intomainfrom
gb/fix-security-alerts

Conversation

@GordonBeeming
Copy link
Owner

@GordonBeeming GordonBeeming commented Mar 23, 2026

Summary

  • Upgrade aws-lc-sys 0.34.0 to 0.39.0 (via aws-lc-rs 1.15.1 to 1.16.2)
  • Upgrade rustls-webpki 0.103.8 to 0.103.10
  • Bump version to 2026.03.24

Fixes 6 Dependabot security advisories (5 high, 1 medium):

Advisory Package Severity Issue
GHSA-vw5v-4f2q-w9xf aws-lc-sys High PKCS7_verify certificate chain validation bypass
GHSA-65p9-r9h6-22vj aws-lc-sys High Timing side-channel in AES-CCM tag verification
GHSA-hfpc-8r3f-gw53 aws-lc-sys High PKCS7_verify signature validation bypass
GHSA-394x-vwmw-crm3 aws-lc-sys High X.509 name constraints bypass via wildcard/unicode CN
GHSA-9f94-5g5w-gf6r aws-lc-sys High CRL distribution point scope check logic error
GHSA-pwjx-qhcg-rvj4 rustls-webpki Medium CRLs not considered authoritative by distribution point

Test plan

  • cargo build compiles successfully
  • CI passes
  • Dependabot alerts auto-close after merge

Solo with Claude Code and GitButler assistance

@GordonBeeming @claude @gitbutler-client
fix: Update Rust crypto dependencies to address security vulnerabilities
ed7fe93 
Upgrade aws-lc-sys 0.34.0 -> 0.39.0 (via aws-lc-rs 1.15.1 -> 1.16.2) and
rustls-webpki 0.103.8 -> 0.103.10 to fix 6 security advisories:

- GHSA-vw5v-4f2q-w9xf: PKCS7_verify certificate chain validation bypass
- GHSA-65p9-r9h6-22vj: Timing side-channel in AES-CCM tag verification
- GHSA-hfpc-8r3f-gw53: PKCS7_verify signature validation bypass
- GHSA-394x-vwmw-crm3: X.509 name constraints bypass via wildcard/unicode CN
- GHSA-9f94-5g5w-gf6r: CRL distribution point scope check logic error
- GHSA-pwjx-qhcg-rvj4: CRLs not considered authoritative by distribution point

Bump version to 2026.03.24.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: GitButler <gitbutler@gitbutler.com>
@GordonBeeming GordonBeeming marked this pull request as ready for review March 23, 2026 19:02
Copilot AI review requested due to automatic review settings March 23, 2026 19:02
Copilot AI reviewed Mar 23, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses Dependabot-reported Rust crypto vulnerabilities in the proxy component by updating locked dependency versions, and bumps the project version across scripts, build metadata, and WinGet manifests.

Changes:

  • Update proxy Rust lockfile to newer aws-lc-* and rustls-webpki versions to remediate security advisories.
  • Bump the project version to 2026.03.24 across release/version-bearing files.
  • Update WinGet manifest PackageVersion values to match the new release version.

Reviewed changes

Copilot reviewed 8 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
proxy/Cargo.lock Updates locked Rust crypto-related dependency versions to address security advisories.
packaging/winget/GordonBeeming.CopilotHere.yaml Bumps WinGet manifest version to the new release version.
packaging/winget/GordonBeeming.CopilotHere.locale.en-US.yaml Keeps WinGet locale manifest version in sync with the release version.
packaging/winget/GordonBeeming.CopilotHere.installer.yaml Keeps WinGet installer manifest version in sync with the release version.
copilot_here.sh Updates shell wrapper version constants to the new release version.
copilot_here.ps1 Updates PowerShell wrapper version constants to the new release version.
app/Infrastructure/BuildInfo.cs Updates build date/version constant to match the new release version.
VERSION Central version bump for the repository.
.github/copilot-instructions.md Updates documented “Current version” value.

@GordonBeeming @claude @gitbutler-client
fix: Update copilot-instructions.md versioning docs
96f3d0f 
Remove hardcoded "Current version" line that gets stale. Update
Directory.Build.props description to reflect it reads from VERSION file.
Add reference to scripts/bump-version.sh and VERSION file in checklist.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: GitButler <gitbutler@gitbutler.com>
@GordonBeeming GordonBeeming merged commit 4a7957a into main Mar 23, 2026
29 checks passed
@GordonBeeming GordonBeeming deleted the gb/fix-security-alerts branch March 23, 2026 19:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@GordonBeeming