Skip to content

fix(deps): patch 3 rustls-webpki CVEs (RUSTSEC-2026-0098/0099/0104)#14

Closed
scoobydont-666 wants to merge 1 commit intofirelock-ai:mainfrom
scoobydont-666:fix/rustls-webpki-cves
Closed

fix(deps): patch 3 rustls-webpki CVEs (RUSTSEC-2026-0098/0099/0104)#14
scoobydont-666 wants to merge 1 commit intofirelock-ai:mainfrom
scoobydont-666:fix/rustls-webpki-cves

Conversation

@scoobydont-666
Copy link
Copy Markdown

@scoobydont-666 scoobydont-666 commented Apr 24, 2026

Summary

  • Bump `rustls-webpki` to `0.103.13` via `[patch.crates-io]` in root `Cargo.toml`
  • Resolves:
    • RUSTSEC-2026-0098
    • RUSTSEC-2026-0099
    • RUSTSEC-2026-0104
  • TLS validation paths (OAuth, HuggingFace download) previously vulnerable
  • Identified in red-team audit 2026-04-24 (hydra-project PR #146 Phase 2)

Why `[patch.crates-io]` (Option B) over `cargo update`

`cargo update -p kin-db` failed in this environment (private "kin" registry unconfigured). The patch block achieves the same CVE resolution and composes cleanly with the workspace lockfile.

Verification

  • `cargo audit`: 3 rustls-webpki advisories → 0 (only 8 pre-existing unmaintained warnings remain)
  • `rustls-webpki` 0.103.10 → 0.103.13 (checksum verified from crates.io)
  • Full `cargo build --workspace` could not run in my environment (private registry); please verify locally before merge

Files changed

  • `Cargo.toml` — add `[patch.crates-io]` block
  • `Cargo.lock` — version + checksum update

🤖 Generated with Claude Code

@scoobydont-666
fix(deps): patch rustls-webpki CVEs (RUSTSEC-2026-0098/0099/0104)
7197e04 
Bumps rustls-webpki to 0.103.13 via [patch.crates-io] block.
Resolves 3 TLS validation bypass vulnerabilities affecting OAuth/HF-hub download paths.

Before: 3 rustls-webpki RUSTSEC advisories (0098, 0099, 0104)
After: 0 rustls-webpki advisories
cargo audit result: 0 error advisories (8 allowed unmaintained warnings)
@scoobydont-666 scoobydont-666 deleted the fix/rustls-webpki-cves branch April 29, 2026 19:16
@github-actions github-actions Bot locked and limited conversation to collaborators Apr 29, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@scoobydont-666