Skip to content

chore(deps): bump crossbeam-epoch to 0.9.20 (RUSTSEC-2026-0204)#210

Open
mauripunzueta wants to merge 1 commit into
mainfrom
fix/rustsec-2026-0204-crossbeam-epoch
Open

chore(deps): bump crossbeam-epoch to 0.9.20 (RUSTSEC-2026-0204)#210
mauripunzueta wants to merge 1 commit into
mainfrom
fix/rustsec-2026-0204-crossbeam-epoch

Conversation

@mauripunzueta

Copy link
Copy Markdown
Contributor

Summary

Bumps crossbeam-epoch 0.9.18 → 0.9.20 (lockfile-only) to clear RUSTSEC-2026-0204, which is currently failing the Security Audit CI job on every open PR.

The advisory

crossbeam-epoch 0.9.0–0.9.19 has an invalid pointer dereference in the fmt::Pointer implementation for Atomic/Shared: formatting a null pointer (from Atomic::null / Shared::null) dereferences it without a null check. Fixed in 0.9.20.

Fix rationale

A patched version exists and the bump is semver-compatible (0.9.x → 0.9.x, Cargo.lock only, no Cargo.toml change), so this removes the vulnerability rather than suppressing it. That's preferable to adding RUSTSEC-2026-0204 to cargo audit's --ignore list in ci.yml — the ignore list is reserved for advisories with no reachable fix (e.g. transitive deps pinned by the AWS SDK / blocked upstream), which isn't the case here.

Impact

  • Unblocks the Security Audit job for main and all open PRs.
  • No source changes; no behavioral change.

Test plan

  • CI Security Audit passes (no remaining un-ignored advisory).

crossbeam-epoch 0.9.0–0.9.19 has an invalid pointer dereference in the
`fmt::Pointer` impl for `Atomic`/`Shared` when formatting null pointers
(RUSTSEC-2026-0204), fixed in 0.9.20. This is a semver-compatible lockfile
bump (no Cargo.toml change) that clears the advisory currently failing the
Security Audit job on every open PR.
@codecov

codecov Bot commented Jul 7, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@mauripunzueta mauripunzueta requested a review from smunini July 7, 2026 01:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant