Skip to content

chore(security): drop stale pyo3 ignore from audit.toml + bump site ws/yaml#2131

Open
chaliy wants to merge 2 commits into
mainfrom
claude/friendly-einstein-pmxzvd
Open

chore(security): drop stale pyo3 ignore from audit.toml + bump site ws/yaml#2131
chaliy wants to merge 2 commits into
mainfrom
claude/friendly-einstein-pmxzvd

Conversation

@chaliy

@chaliy chaliy commented Jun 28, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Security dependency hygiene. Rebased on latest main; scope narrowed after #2130 landed.

Note: #2130 already removed the stale pyo3 ignores from deny.toml. That overlap dropped out cleanly on rebase — but #2130 missed .cargo/audit.toml, which carried the same now-stale entries. This PR finishes that cleanup and adds an unrelated npm fix.

1. Drop stale pyo3 advisory ignores from .cargo/audit.toml (cargo)

pyo3/pyo3-async-runtimes are at 0.29.0 in Cargo.lock, so these are "patched in >= 0.29" and no longer match any crate — dead suppressions:

  • RUSTSEC-2026-0176 — OOB read in PyList/PyTuple nth/nth_back
  • RUSTSEC-2026-0177 — missing Sync bound on PyCFunction::new_closure

.cargo/audit.toml is the file CI's cargo-audit (rustsec/audit-check) actually reads, so leaving these here keeps a live suppression that would re-mask the advisory if pyo3 were downgraded. The matching deny.toml entries were already removed by #2130.

Remaining ignore kept (still present, no fixed release): RUSTSEC-2023-0071 (rsa Marvin, via russh).

2. Bump site ws/yaml to patched versions (npm)

Two GitHub Dependabot alerts on the site/ Astro project, both deep transitive dev deps (build/deploy tooling, not shipped in the bundle):

  • ws (GHSA-96hv-2xvq-fx4p, high): memory-exhaustion DoS; affects >=8.0.0 <8.21.0; via wrangler > miniflare > ws. Pinned >=8.21.0.
  • yaml (GHSA-48c2-rrv3-qjmp, moderate): stack overflow via deeply nested collections; affects >=2.0.0 <2.8.3; via @astrojs/check > … > yaml. Pinned >=2.8.3 (resolves 2.9.0).

Added as pnpm overrides alongside the existing esbuild/undici security pins. pnpm audit now reports no known vulnerabilities for site/.

Verification

  • pyo3 = 0.29.0 / pyo3-async-runtimes = 0.29.0 in Cargo.lock.
  • pnpm audit clean for site/; Site Build + Cloudflare deploy green on the PR.
  • RustSec DB is egress-blocked in the dev sandbox; CI's cargo-audit validates the cargo side on networked runners.

https://claude.ai/code/session_01CCnF1i7QRggAj9as2RWs8g

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 28, 2026
edited
Loading

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 bashkit 18db537 Commit Preview URL

Branch Preview URL		 Jun 29 2026, 09:14 AM

@chaliy chaliy changed the title chore(security): drop resolved pyo3 advisory ignores after 0.29 bump chore(security): resolve pyo3 advisory ignores + bump site ws/yaml Jun 28, 2026
@chaliy chaliy mentioned this pull request Jun 29, 2026
Closed
chaliy added 2 commits June 29, 2026 09:12
@chaliy
chore(security): drop resolved pyo3 advisory ignores after 0.29 bump
4f509dc 
pyo3 and pyo3-async-runtimes are now at 0.29.0 (Cargo.lock), so the
RUSTSEC-2026-0176 (OOB read in PyList/PyTuple iterators) and
RUSTSEC-2026-0177 (missing Sync bound on PyCFunction::new_closure)
advisories no longer match any crate in the tree — both are patched in
pyo3 >=0.29. Remove the now-stale ignore entries from .cargo/audit.toml
and deny.toml, as their own comments instructed ("Remove on pyo3 0.29
bump").

Remaining ignores are all still-present, unfixable transitive deps:
RUSTSEC-2023-0071 (rsa Marvin, via russh), RUSTSEC-2023-0089
(atomic-polyfill unmaintained, via monty), RUSTSEC-2026-0173
(proc-macro-error2 unmaintained, bench-only via tabled).

Claude-Session: https://claude.ai/code/session_01CCnF1i7QRggAj9as2RWs8g
@chaliy
fix(site): bump ws and yaml to patched versions
18db537 
Resolve two GitHub Dependabot security alerts on the site/ Astro project,
both deep transitive dev dependencies:

- ws (GHSA-96hv-2xvq-fx4p, high): memory-exhaustion DoS from tiny
  fragments/data chunks; affects >=8.0.0 <8.21.0. Pulled via
  wrangler > miniflare > ws. Pin to >=8.21.0.
- yaml (GHSA-48c2-rrv3-qjmp, moderate): stack overflow via deeply nested
  YAML collections; affects >=2.0.0 <2.8.3. Pulled via
  @astrojs/check > @astrojs/language-server > volar-service-yaml >
  yaml-language-server > yaml. Pin to >=2.8.3 (resolves to 2.9.0).

Both are build/deploy tooling only (not shipped in the site bundle), but
Dependabot flags them. Added pnpm overrides alongside the existing
esbuild/undici security pins. pnpm audit now reports no known
vulnerabilities.

Claude-Session: https://claude.ai/code/session_01CCnF1i7QRggAj9as2RWs8g
@chaliy chaliy force-pushed the claude/friendly-einstein-pmxzvd branch from 32b556f to 18db537 Compare June 29, 2026 09:13
@chaliy chaliy changed the title chore(security): resolve pyo3 advisory ignores + bump site ws/yaml chore(security): drop stale pyo3 ignore from audit.toml + bump site ws/yaml Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chaliy