Skip to content

build(deps): update Rust deps for security fixes#532

Merged
kvinwang merged 1 commit intomasterfrom
fix/update-deps
Mar 6, 2026
Merged

build(deps): update Rust deps for security fixes#532
kvinwang merged 1 commit intomasterfrom
fix/update-deps

Conversation

@kvinwang
Copy link
Collaborator

@kvinwang kvinwang commented Mar 6, 2026
edited
Loading

Summary

Rust workspace deps (Cargo.toml + Cargo.lock)

  • Update bytes 1.10.1 -> 1.11.1 (RUSTSEC-2025-0014)
  • Update time 0.3.39 -> 0.3.47 (RUSTSEC-2025-0015)
  • Update aws-lc-sys 0.37.0 -> 0.38.0 (RUSTSEC-2025-0013, via cargo update)
  • Run cargo update to pick up latest compatible versions of all transitive deps

key-provider-build

  • Switch from kvinwang fork to upstream MoeMahhouk/gramine-sealing-key-provider (commit 180ff46)
    • The fork was only needed for dcap-qvl 0.3.10 fix, now merged upstream
    • Upstream also upgraded Gramine v1.5 -> v1.9, Rust toolchain -> 1.85, hardened attestation
  • Regenerated Cargo.lock to fix bytes vulnerability

Not addressed

  • mio 0.7.14 (CVE-2024-27308): Windows-only named pipe issue, dismissed (does not affect this Linux project). Pinned via luks2 -> crossterm 0.19.
  • elliptic npm: no fix available

Supersedes #493 and #494.

@kvinwang
build(deps): update Rust dependencies for security fixes
4f67f44 
- bytes: 1.10.1 -> 1.11.1 (RUSTSEC-2025-0014)
- time: 0.3.39 -> 0.3.47 (RUSTSEC-2025-0015)
- aws-lc-sys: 0.37.0 -> 0.38.0 (RUSTSEC-2025-0013, via cargo update)

Also ran cargo update to pick up latest compatible versions of all transitive dependencies.

Note: mio 0.7.14 alert (CVE-2024-27308) is Windows-only (named pipes)
and does not affect this Linux-only project. It's pinned via
luks2 -> crossterm 0.19 and cannot be updated without upstream changes.
This was referenced Mar 6, 2026
Closed
Closed
@kvinwang kvinwang merged commit af2f66b into master Mar 6, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kvinwang