Commit 3e005d6
authored
update: clean cargo-audit by removing atty and pinning rsa advisory (#198)
Resolves all cargo-audit findings reported on deps.rs.
Replace the unmaintained `atty` crate with `std::io::IsTerminal` (stdlib since Rust 1.70). This drops two advisories at once: RUSTSEC-2024-0375 (unmaintained) and RUSTSEC-2021-0145 (unsound unaligned read). The five call sites in pty, logging, ssh::auth, and the interactive connection now go through `std::io::{stdin, stdout}().is_terminal()`.
Run `cargo update` to pick up 33 transitive patch bumps available within current semver constraints (tokio 1.52.1 -> 1.52.3, rustls 0.23.39 -> 0.23.40, h2 0.4.13 -> 0.4.14, digest 0.11.2 -> 0.11.3, rpassword 7.4.0 -> 7.5.2, and others). The Cargo.lock churn is mostly transitive; no direct `[dependencies]` constraints needed loosening except the atty removal.
Add `.cargo/audit.toml` ignoring RUSTSEC-2023-0071 (Marvin Attack) with an explanatory comment. Both `rsa 0.9.10` (via ssh-key 0.6.x) and `rsa 0.10.0-rc.17` (via the vendored bssh-russh fork) are affected, and no fixed upstream version exists for any rsa release. Bumping to 0.10.0-rc.18 conflicts with the bssh-russh `pkcs5 = "=0.8.0-rc.13"` pin, so we accept the advisory at the audit layer and document Ed25519/ECDSA as the recommended mitigation for users.
Verified: `cargo audit` reports 0 vulnerabilities / 0 warnings, `cargo clippy -- -D warnings` is clean, `cargo test --lib` passes (1222/1222), `cargo fmt --check` is clean.1 parent 6e0a6d4 commit 3e005d6
7 files changed
Lines changed: 132 additions & 130 deletions
File tree
- .cargo
- src
- commands/interactive
- pty
- ssh
- utils
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
0 commit comments