Skip to content

chore: bump deps to resolve OSV vulnerabilities #142

Merged
hashemix merged 4 commits into
rust-mcp-stack:mainfrom
SVilgelm:chore/bump-deps-osv-fixes
May 23, 2026
Merged

chore: bump deps to resolve OSV vulnerabilities #142
hashemix merged 4 commits into
rust-mcp-stack:mainfrom
SVilgelm:chore/bump-deps-osv-fixes

Conversation

@SVilgelm
Copy link
Copy Markdown
Contributor

@SVilgelm SVilgelm commented May 5, 2026
edited
Loading

Reduce known vulnerabilities from 17 to 1:

  • cargo update: openssl 0.10.78, aws-lc-sys 0.40.0, rustls-webpki 0.103.13, rustls 0.23.40, rand 0.8.6 / 0.9.4
  • axum-server 0.7 → 0.8 (drops vulnerable rustls-pemfile@2.2.0); add SocketAddr generic to Handle usages
  • wiremock 0.5 → 0.6 (drops vulnerable instant@0.1.13 and rand@0.7.3); migrate test_streamable_http_client to http-crate types

Residual: rsa@0.9.10 (RUSTSEC-2023-0071) via oauth2-test-server, a dev-dependency only with no upstream fix.

Fixes: #140

@SVilgelm
chore: bump deps to resolve OSV vulnerabilities
64c8673 
Reduce known vulnerabilities from 17 to 1:
- cargo update: openssl 0.10.78, aws-lc-sys 0.40.0, rustls-webpki 0.103.13,
  rustls 0.23.40, rand 0.8.6 / 0.9.4
- axum-server 0.7 -> 0.8 (drops vulnerable rustls-pemfile@2.2.0); add
  SocketAddr generic to Handle usages
- wiremock 0.5 -> 0.6 (drops vulnerable instant@0.1.13 and rand@0.7.3);
  migrate test_streamable_http_client to http-crate types

Residual: rsa@0.9.10 (RUSTSEC-2023-0071) via oauth2-test-server, a
dev-dependency only with no upstream fix.

Assisted-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 5, 2026 20:30
Copilot AI reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates workspace dependencies (notably TLS/HTTP stack and test tooling) to reduce known OSV-reported vulnerabilities, including upgrading axum-server and wiremock, and refreshing Cargo.lock accordingly.

Changes:

  • Bump axum-server from 0.7 to 0.8 and update server handle types to the new generic Handle<SocketAddr> API.
  • Bump wiremock from 0.5 to 0.6 and adjust the streamable HTTP client integration test to use http-crate header/method types.
  • Refresh Cargo.lock via dependency updates to pull patched transitive versions (e.g., rustls, openssl, aws-lc-sys, rand).

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated no comments.

Show a summary per file
File Description
crates/rust-mcp-transport/Cargo.toml Updates dev-dependency wiremock to 0.6 to remove vulnerable transitive deps in test tooling.
crates/rust-mcp-sdk/tests/test_streamable_http_client.rs Migrates test assertions to wiremock 0.6 request/header/method APIs.
crates/rust-mcp-sdk/src/hyper_servers/server.rs Adapts HyperServer to axum-server 0.8 by using Handle<SocketAddr> and updating signatures accordingly.
crates/rust-mcp-sdk/src/hyper_servers/hyper_runtime.rs Updates runtime struct field type for the new axum-server handle generic.
crates/rust-mcp-sdk/Cargo.toml Bumps axum-server to 0.8 and wiremock to 0.6 for the SDK crate.
Cargo.toml Bumps workspace axum-server to 0.8 so workspace crates share the updated server implementation.
Cargo.lock Large lockfile refresh reflecting patched dependency graph after cargo update and version bumps.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@SVilgelm
Copy link
Copy Markdown
Contributor Author

SVilgelm commented May 8, 2026

@hashemix, Hi, could you please check this PR? Thank you

@hashemix hashemix changed the title chore: bump deps to resolve OSV vulnerabilities chore: bump deps to resolve OSV vulnerabilities May 17, 2026
@hashemix
Copy link
Copy Markdown
Member

hashemix commented May 20, 2026

Hey @SVilgelm , would you mind fixing the issues causing the check to fail: https://github.com/rust-mcp-stack/rust-mcp-sdk/actions/runs/26002112188/job/76427154767?pr=142

to reproduce that locally, with rust 1.95.0 run:

cargo make check

@SVilgelm
Copy link
Copy Markdown
Contributor Author

SVilgelm commented May 20, 2026

Sure, will do it tonight

SVilgelm and others added 3 commits May 22, 2026 07:47
@SVilgelm
Merge branch 'main' into chore/bump-deps-osv-fixes
41afa2c
@SVilgelm
cargo fmt --all
624f52d 
Signed-off-by: Sergey Vilgelm <sergey@vilgelm.com>
@SVilgelm
fix clippy issues
5bb1478 
Signed-off-by: Sergey Vilgelm <sergey@vilgelm.com>
@SVilgelm SVilgelm force-pushed the chore/bump-deps-osv-fixes branch from 3d66fc9 to 5bb1478 Compare May 22, 2026 15:02
@SVilgelm
Copy link
Copy Markdown
Contributor Author

SVilgelm commented May 22, 2026

fixed all issues

@hashemix hashemix merged commit dcb2cd8 into rust-mcp-stack:main May 23, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@hashemix hashemix hashemix approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OSV Scan Report (security issues)

3 participants

@SVilgelm @hashemix