chore(deps): update Cargo dependencies within semver range#292
Conversation
Bump in-range crates via `cargo update`: anstream, anstyle-parse, bytes, cc, clap/clap_builder/clap_derive, log, memmap2, pulp, pulp-wasm-simd-flag, quote, rustls, shlex, syn, webpki-roots, zlib-rs, and add getrandom 0.4.3 / r-efi 6.0.0 as new transitive deps. anyhow 1.0.103 and crossbeam-epoch 0.9.20 were reverted after failing the 7-day quarantine check; both fix newly-published advisories (RUSTSEC-2026-0190, RUSTSEC-2026-0204) with low practical exposure here, so deny.toml gains time-boxed ignores instead (mirroring the existing memmap2 entry, which is now removed since memmap2 0.9.11 cleared quarantine and lands the fix for RUSTSEC-2026-0186). Updated cargo-vet exemptions in supply-chain/config.toml to match. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5ac5144cb6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
… ignoring advisories Per Codex review on #292: ignoring RUSTSEC-2026-0190/0204 in deny.toml kept cargo-deny green while the lockfile stayed on the vulnerable anyhow/crossbeam-epoch versions, so the gate would never force the upgrade even after quarantine cleared. Adopt the fixed versions (anyhow 1.0.103, crossbeam-epoch 0.9.20) now and quarantine-allowlist them instead, matching how this repo already treats other security patches that must land immediately. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
crossbeam-epoch 0.9.20 (bumped for RUSTSEC-2026-0204) ships a build.rs that 0.9.18 didn't have. Verified it only emits a rustc-cfg based on CARGO_CFG_SANITIZE, the same benign pattern already accepted for crossbeam-utils — safe to add to the baseline. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
@codex review |
|
Codex Review: Didn't find any major issues. You're on a roll. Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Summary
Routine in-range
cargo updateofengine/dependencies, plus the associated cargo-vet/cargo-deny/quarantine bookkeeping.Bumped crates (all within their existing semver range, no majors raised):
Reverted for the 7-day quarantine gate (
scripts/check-quarantine.sh), viacargo update -p <crate> --precise <old>:Both reverted versions fix newly-published advisories flagged by
cargo deny check:Error::downcast_mut()) — lex-core's only anyhow usage (neural feature) never combines.context()with.downcast_mut(), so exposure is low.fmt::Display) — crossbeam-epoch is a deep transitive dep via rayon; lex-core never formatsAtomic/Sharedpointers.Added time-boxed
deny.tomlignores for both (same pattern as the pre-existing memmap2 entry), to be dropped once each clears quarantine. The old memmap2/RUSTSEC-2026-0186 ignore was removed since memmap2 0.9.11 (which lands that fix) cleared quarantine and is now in the lockfile.supply-chain/config.tomlcargo-vet exemptions were updated to match the new/reverted versions (logandgetrandom@0.4.3/r-efi@6.0.0got new exemption entries since none existed before;imports.lockrefreshed viacargo vet check).Gates run
cargo fmt --all --check— passcargo clippy --workspace --all-features -- -D warnings— passcargo test --workspace --all-features— pass, exceptuser_history::tests::test_save_to_invalid_path, which fails only because this sandbox runs as root (mkdir -punder/nonexistentsucceeds for root, so the test's "should fail" assumption doesn't hold). Verified this is pre-existing and unrelated to this change — it fails identically on unmodifiedmainin the same sandbox. Not expected to reproduce on the ubuntu-latest CI runners (non-root).cargo vet check— pass (58 fully audited, 1 partially audited, 225 exempted)cargo deny check— pass (advisories/bans/licenses/sources all ok)scripts/check-quarantine.sh— pass for all changed deps (7-day quarantine satisfied)Not run:
mise run accuracy/mise run accuracy-history. Building the test dictionary requires fetching Mozc source data fromgoogle/mozcon GitHub, which is outside this session's granted repository scope (send/leximeonly) — this is a hard access-scope restriction, not something affected by the dependency bump. None of the bumped crates touch lex-core's dictionary/Viterbi conversion logic (they're CLI/TLS/WASM/proc-macro/logging infra crates). Please run both accuracy suites locally before merging, per the repo's testing policy.No PR merge is intended from this session — routine opens the PR for human review only.
Co-Authored-By: Claude Opus 4.8 (1M context) noreply@anthropic.com
Generated by Claude Code