Skip to content

chore: update dependencies#41

Merged
rubenhensen merged 1 commit into
mainfrom
chore/update-dependencies
Jul 2, 2026
Merged

chore: update dependencies#41
rubenhensen merged 1 commit into
mainfrom
chore/update-dependencies

Conversation

@dobby-coder

@dobby-coder dobby-coder Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Resolves the dependency updates tracked in #40. Because this is a library, Cargo.lock is not committed — the fix is to tighten the minimum version constraints in Cargo.toml so downstream consumers (and -Z minimal-versions resolution) can no longer pull the vulnerable releases.

Security advisories fixed

Advisory Package Bump
RUSTSEC-2023-0096 / CVE-2023-42811 aes-gcm 0.100.10.3
RUSTSEC-2026-0097 rand 0.8.40.8.6 (deps + dev-deps)
  • aes-gcm: 0.10 allowed the vulnerable 0.10.0–0.10.2. Only the optional mkem feature pulls it in.
  • rand: 0.8.4/0.8.5 were vulnerable via the log feature. ibe uses default-features = false (no log), but bumping the floor is still the correct hygiene fix.

Minor / patch updates

  • arrayref 0.3.60.3.9
  • subtle 2.4.12.6.1 (unifies with pg-curve's subtle 2.6.1)
  • criterion (dev) 0.80.8.2
  • pastey (dev) 0.20.2.3

Majors deliberately NOT bumped (with reasons)

  • group 0.14blocked. pg-curve 0.2.0 and pairing 0.23.0 both require group 0.13, and ibe passes pg-curve's curve types into group traits. Bumping to 0.14 would produce two incompatible group versions and fail to compile. Requires a coordinated pg-curve / pairing release first.
  • getrandom 0.4blocked. The wasm32 direct dep exists only to enable the js feature on the getrandom 0.2 pulled in transitively via rand_core 0.6. Bumping it in isolation just adds a parallel, unused copy. Coupled with the same BLS-curve-stack rand_core 0.6 pin.

Verification

  • cargo test --all-features21 passed, 0 failed
  • cargo fmt --check → clean
  • cargo clippy --all-features → no warnings

Closes #40

Tighten minimum version constraints to exclude vulnerable releases and
pick up available patch/minor updates:

- aes-gcm 0.10 -> 0.10.3: fixes RUSTSEC-2023-0096 / CVE-2023-42811
  (CCA plaintext exposure on tag-verification failure). Only the optional
  `mkem` feature pulls this in.
- rand 0.8.4 -> 0.8.6: fixes RUSTSEC-2026-0097 (UB during reseeding with
  the `log` feature). Bumped in both [dependencies] and [dev-dependencies].
- arrayref 0.3.6 -> 0.3.9, subtle 2.4.1 -> 2.6.1 (unifies with pg-curve's
  subtle 2.6.1), criterion 0.8 -> 0.8.2, pastey 0.2 -> 0.2.3.

Deliberately NOT bumped:
- group 0.14: blocked. pg-curve 0.2.0 and pairing 0.23.0 both require
  group 0.13, and ibe passes pg-curve curve types into `group` traits;
  two incompatible `group` versions would fail to compile. Needs a
  coordinated pg-curve/pairing update first.
- getrandom 0.4: blocked. The wasm32 direct dep only enables the `js`
  feature on the getrandom 0.2 pulled in transitively via rand_core 0.6;
  bumping it in isolation just adds a parallel unused copy.

cargo test --all-features passes (21 tests); fmt and clippy clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@dobby-coder dobby-coder Bot requested a review from rubenhensen July 1, 2026 22:23
@dobby-coder dobby-coder Bot marked this pull request as ready for review July 1, 2026 22:29
@dobby-coder dobby-coder Bot mentioned this pull request Jul 1, 2026
@rubenhensen rubenhensen merged commit 6e3f1e9 into main Jul 2, 2026
8 checks passed
@rubenhensen rubenhensen deleted the chore/update-dependencies branch July 2, 2026 08:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

chore: update dependencies

1 participant