From 4f509dc6436e6297c5e54a831669f6e49884c82c Mon Sep 17 00:00:00 2001 From: Mykhailo Chalyi Date: Sun, 28 Jun 2026 01:33:44 +0000 Subject: [PATCH 1/2] chore(security): drop resolved pyo3 advisory ignores after 0.29 bump MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit pyo3 and pyo3-async-runtimes are now at 0.29.0 (Cargo.lock), so the RUSTSEC-2026-0176 (OOB read in PyList/PyTuple iterators) and RUSTSEC-2026-0177 (missing Sync bound on PyCFunction::new_closure) advisories no longer match any crate in the tree — both are patched in pyo3 >=0.29. Remove the now-stale ignore entries from .cargo/audit.toml and deny.toml, as their own comments instructed ("Remove on pyo3 0.29 bump"). Remaining ignores are all still-present, unfixable transitive deps: RUSTSEC-2023-0071 (rsa Marvin, via russh), RUSTSEC-2023-0089 (atomic-polyfill unmaintained, via monty), RUSTSEC-2026-0173 (proc-macro-error2 unmaintained, bench-only via tabled). Claude-Session: https://claude.ai/code/session_01CCnF1i7QRggAj9as2RWs8g --- .cargo/audit.toml | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/.cargo/audit.toml b/.cargo/audit.toml index ffa863531..2fa2b7208 100644 --- a/.cargo/audit.toml +++ b/.cargo/audit.toml @@ -7,18 +7,4 @@ ignore = [ # Transitive via russh-keys -> ssh-key -> rsa # Only used for RSA key parsing in SSH; no direct exposure "RUSTSEC-2023-0071", - # pyo3: OOB read in PyList/PyTuple nth/nth_back (RUSTSEC-2026-0176) - # Patched in pyo3 >=0.29. Blocked from upgrading: pyo3-async-runtimes - # (the asyncio bridge in bashkit-python) has no 0.29 release yet and its - # main branch still pins pyo3 0.28. pyo3 here powers the host-side Python - # bindings only, not the sandboxed-script path, so sandboxed bash cannot - # reach the vulnerable iterators. Remove once pyo3-async-runtimes ships - # a 0.29-compatible release and we bump pyo3. - "RUSTSEC-2026-0176", - # pyo3: missing Sync bound on PyCFunction::new_closure (RUSTSEC-2026-0177) - # Patched in pyo3 >=0.29; same pyo3-async-runtimes blocker as above. - # Stronger justification: `PyCFunction::new_closure` is not called - # anywhere in this workspace, so the unsound API is unreachable. - # Remove on the same pyo3 0.29 bump. - "RUSTSEC-2026-0177", ] From 18db5373ab077d6d9cecf924aac18322446a9a3b Mon Sep 17 00:00:00 2001 From: Mykhailo Chalyi Date: Sun, 28 Jun 2026 01:36:56 +0000 Subject: [PATCH 2/2] fix(site): bump ws and yaml to patched versions Resolve two GitHub Dependabot security alerts on the site/ Astro project, both deep transitive dev dependencies: - ws (GHSA-96hv-2xvq-fx4p, high): memory-exhaustion DoS from tiny fragments/data chunks; affects >=8.0.0 <8.21.0. Pulled via wrangler > miniflare > ws. Pin to >=8.21.0. - yaml (GHSA-48c2-rrv3-qjmp, moderate): stack overflow via deeply nested YAML collections; affects >=2.0.0 <2.8.3. Pulled via @astrojs/check > @astrojs/language-server > volar-service-yaml > yaml-language-server > yaml. Pin to >=2.8.3 (resolves to 2.9.0). Both are build/deploy tooling only (not shipped in the site bundle), but Dependabot flags them. Added pnpm overrides alongside the existing esbuild/undici security pins. pnpm audit now reports no known vulnerabilities. Claude-Session: https://claude.ai/code/session_01CCnF1i7QRggAj9as2RWs8g --- site/package.json | 4 +++- site/pnpm-lock.yaml | 21 ++++++++------------- 2 files changed, 11 insertions(+), 14 deletions(-) diff --git a/site/package.json b/site/package.json index a4ef7edf2..f02d0b68a 100644 --- a/site/package.json +++ b/site/package.json @@ -33,7 +33,9 @@ "pnpm": { "overrides": { "esbuild": ">=0.28.1", - "undici": "^7.28.0" + "undici": "^7.28.0", + "ws": ">=8.21.0", + "yaml": ">=2.8.3" }, "onlyBuiltDependencies": [ "esbuild", diff --git a/site/pnpm-lock.yaml b/site/pnpm-lock.yaml index 875da184d..bb46a5429 100644 --- a/site/pnpm-lock.yaml +++ b/site/pnpm-lock.yaml @@ -7,6 +7,8 @@ settings: overrides: esbuild: '>=0.28.1' undici: ^7.28.0 + ws: '>=8.21.0' + yaml: '>=2.8.3' importers: @@ -1998,7 +2000,7 @@ packages: sugarss: ^5.0.0 terser: ^5.16.0 tsx: ^4.8.1 - yaml: ^2.4.2 + yaml: '>=2.8.3' peerDependenciesMeta: '@types/node': optional: true @@ -2151,8 +2153,8 @@ packages: resolution: {integrity: sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==} engines: {node: '>=10'} - ws@8.20.1: - resolution: {integrity: sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==} + ws@8.21.0: + resolution: {integrity: sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==} engines: {node: '>=10.0.0'} peerDependencies: bufferutil: ^4.0.1 @@ -2174,11 +2176,6 @@ packages: resolution: {integrity: sha512-qhjK/bzSRZ6HtTvgeFvjNPJGWdZ0+x5NREV/9XZWFjIGezew2b4r5JPy66IfOhd5OA7KeFwk1JfmEbnTvev0cA==} hasBin: true - yaml@2.7.1: - resolution: {integrity: sha512-10ULxpnOCQXxJvBgxsn9ptjq6uviG/htZKk9veJGhlqn3w/DxQ631zFF+nlQXLwmImeS5amR2dl2U8sg6U9jsQ==} - engines: {node: '>= 14'} - hasBin: true - yaml@2.9.0: resolution: {integrity: sha512-2AvhNX3mb8zd6Zy7INTtSpl1F15HW6Wnqj0srWlkKLcpYl/gMIMJiyuGq2KeI2YFxUPjdlB+3Lc10seMLtL4cA==} engines: {node: '>= 14.6'} @@ -3853,7 +3850,7 @@ snapshots: sharp: 0.34.5 undici: 7.28.0 workerd: 1.20260521.1 - ws: 8.20.1 + ws: 8.21.0 youch: 4.1.0-beta.10 transitivePeerDependencies: - bufferutil @@ -4523,7 +4520,7 @@ snapshots: string-width: 4.2.3 strip-ansi: 6.0.1 - ws@8.20.1: {} + ws@8.21.0: {} xxhash-wasm@1.1.0: {} @@ -4541,9 +4538,7 @@ snapshots: vscode-languageserver-textdocument: 1.0.12 vscode-languageserver-types: 3.17.5 vscode-uri: 3.1.0 - yaml: 2.7.1 - - yaml@2.7.1: {} + yaml: 2.9.0 yaml@2.9.0: {}