fix: update Cargo.lock to fix cargo audit vulnerabilities#1190
Conversation
- rustls-webpki 0.103.10 -> 0.103.12 (RUSTSEC-2026-0098, RUSTSEC-2026-0099) - rand 0.8.5 -> 0.8.6, 0.9.2 -> 0.9.4 (RUSTSEC-2026-0097) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
| "cexpr", | ||
| "clang-sys", | ||
| "itertools 0.13.0", | ||
| "itertools 0.11.0", |
There was a problem hiding this comment.
it is downgraded?
There was a problem hiding this comment.
It's a consequence of running cargo update rustls-webpki
From Claude:
The chain is:
rustls-webpki → aws-lc-rs → aws-lc-fips-sys → bindgen → itertools
When cargo updates rustls-webpki, it re-resolves this entire chain. Bindgen's constraint is
=0.10,<0.14, and itertools 0.11.0 is already in the graph (for lalrpop). So cargo consolidates — using
the already-present 0.11.0 rather than keeping a separate 0.13.0 copy. It's the resolver deduplicating
as a side effect of re-solving the chain.
The change is valid: bindgen 0.72.1 explicitly declares itertools = ">=0.10,<0.14", so 0.11.0 is within
its stated range.
litianningdatadog
left a comment
litianningdatadog
left a comment
There was a problem hiding this comment.
Left a comment.
## Summary - Bumps `rustls-webpki` from `0.103.12` to `0.103.13` in `Cargo.lock` - Fixes RUSTSEC-2026-0104: reachable panic in certificate revocation list parsing - Advisory published 2026-04-22; the previous cargo audit fix PR (#1190) predated it 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Summary
rustls-webpki0.103.10 → 0.103.12 (fixes RUSTSEC-2026-0098 and RUSTSEC-2026-0099: name constraint bypass vulnerabilities in TLS certificate validation)rand0.8.5 → 0.8.6 and 0.9.2 → 0.9.4 (fixes RUSTSEC-2026-0097: unsound aliased mutable reference when using custom loggers)These were causing the cargo audit CI job to fail.
Only
Cargo.lockis updated (noCargo.tomlchanges needed — these are transitive dependency version bumps).