chore: update dependencies#41
Merged
Merged
Conversation
Tighten minimum version constraints to exclude vulnerable releases and pick up available patch/minor updates: - aes-gcm 0.10 -> 0.10.3: fixes RUSTSEC-2023-0096 / CVE-2023-42811 (CCA plaintext exposure on tag-verification failure). Only the optional `mkem` feature pulls this in. - rand 0.8.4 -> 0.8.6: fixes RUSTSEC-2026-0097 (UB during reseeding with the `log` feature). Bumped in both [dependencies] and [dev-dependencies]. - arrayref 0.3.6 -> 0.3.9, subtle 2.4.1 -> 2.6.1 (unifies with pg-curve's subtle 2.6.1), criterion 0.8 -> 0.8.2, pastey 0.2 -> 0.2.3. Deliberately NOT bumped: - group 0.14: blocked. pg-curve 0.2.0 and pairing 0.23.0 both require group 0.13, and ibe passes pg-curve curve types into `group` traits; two incompatible `group` versions would fail to compile. Needs a coordinated pg-curve/pairing update first. - getrandom 0.4: blocked. The wasm32 direct dep only enables the `js` feature on the getrandom 0.2 pulled in transitively via rand_core 0.6; bumping it in isolation just adds a parallel unused copy. cargo test --all-features passes (21 tests); fmt and clippy clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
rubenhensen
approved these changes
Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves the dependency updates tracked in #40. Because this is a library,
Cargo.lockis not committed — the fix is to tighten the minimum version constraints inCargo.tomlso downstream consumers (and-Z minimal-versionsresolution) can no longer pull the vulnerable releases.Security advisories fixed
0.10→0.10.30.8.4→0.8.6(deps + dev-deps)0.10allowed the vulnerable 0.10.0–0.10.2. Only the optionalmkemfeature pulls it in.0.8.4/0.8.5were vulnerable via thelogfeature. ibe usesdefault-features = false(nolog), but bumping the floor is still the correct hygiene fix.Minor / patch updates
arrayref0.3.6→0.3.9subtle2.4.1→2.6.1(unifies with pg-curve'ssubtle 2.6.1)criterion(dev)0.8→0.8.2pastey(dev)0.2→0.2.3Majors deliberately NOT bumped (with reasons)
group 0.14— blocked.pg-curve 0.2.0andpairing 0.23.0both requiregroup 0.13, and ibe passes pg-curve's curve types intogrouptraits. Bumping to 0.14 would produce two incompatiblegroupversions and fail to compile. Requires a coordinatedpg-curve/pairingrelease first.getrandom 0.4— blocked. The wasm32 direct dep exists only to enable thejsfeature on thegetrandom 0.2pulled in transitively viarand_core 0.6. Bumping it in isolation just adds a parallel, unused copy. Coupled with the same BLS-curve-stackrand_core 0.6pin.Verification
cargo test --all-features→ 21 passed, 0 failedcargo fmt --check→ cleancargo clippy --all-features→ no warningsCloses #40