Security: Address OpenSSF Scorecard and Dependabot Alerts#4
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4af050e551
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| # Utilities | ||
| chrono = { version = "0.4", features = ["serde"] } | ||
| ring = "0.17.13" | ||
| lru = "0.16.3" |
There was a problem hiding this comment.
This adds a new non-optional dependency (lru = "0.16.3") but the checked-in clinician/Cargo.lock is not updated (the ambientops-clinician package entry still omits lru, and only lru 0.12.5 is present), so locked builds are inconsistent. The clinician container build uses cargo build --release --locked, and cargo build --help defines --locked as "Assert that Cargo.lock will remain unchanged", which causes builds in that path to fail until the lockfile is regenerated.
Useful? React with 👍 / 👎.
| chrono = { version = "0.4", features = ["serde"] } | ||
| # Security fix: override transitive ring to patch CVE-2025-4432 | ||
| ring = "0.17.13" | ||
| lru = "0.16.3" |
There was a problem hiding this comment.
The manifest now declares lru = "0.16.3", but personal-sysadmin/Cargo.lock was not updated (its personal-sysadmin dependency list still has no lru, and only lru 0.12.5 exists), leaving the manifest and lockfile out of sync. The project’s container build runs cargo build --release --locked, and cargo build --help states --locked "Assert that Cargo.lock will remain unchanged", so this change will break locked builds until the lockfile is refreshed.
Useful? React with 👍 / 👎.
|
|
||
| # Bytes | ||
| bytes = "1.11" | ||
| lru = "0.16.3" |
There was a problem hiding this comment.
Adding lru = "0.16.3" under [workspace.dependencies] is a no-op unless at least one member crate opts into it via { workspace = true }; none of the workspace member manifests reference lru, and the resulting czech-file-knife/Cargo.lock still resolves only lru 0.12.5. In this form, the intended lru security remediation for this workspace is not actually applied.
Useful? React with 👍 / 👎.
1 participant
This PR addresses several security and maintenance alerts: