From 7c894ddceba1634b3ef00e7eb94655de3e2fddf0 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Wed, 22 Apr 2026 11:49:42 +0000
Subject: [PATCH] security(deps): clear cargo-audit vuln + 2 unmaintained-crate
 warnings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Resolves:
- RUSTSEC-2026-0104 (reachable panic in rustls-webpki CRL parsing)
  via cargo update -p rustls-webpki --precise 0.103.13
- RUSTSEC-2025-0119 (number_prefix unmaintained) by bumping indicatif
  0.17 → 0.18 — 0.18 replaces number_prefix with unit-prefix internally;
  only ProgressBar / ProgressStyle are used (main.rs:823-832), stable API
- RUSTSEC-2021-0127 (serde_cbor unmaintained) by replacing with ciborium
  0.2 in the verisim-gated proof_encoding module; 14/14 proof_encoding
  tests pass under --features verisim

Remaining: RUSTSEC-2025-0134 (rustls-pemfile via tonic 0.12) — deferred;
tonic 0.13 is a breaking-API bump and warrants its own branch.

Verified: cargo check --lib, cargo check --bin echidna, cargo check
--features verisim --lib all clean; cargo audit drops from 1 error +
3 warnings to 0 errors + 1 warning.
---
 Cargo.lock                 | 49 +++++++++++++-------------------------
 Cargo.toml                 |  6 ++---
 src/rust/proof_encoding.rs |  6 +++--
 3 files changed, 23 insertions(+), 38 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 36bef96..05b1662 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -594,7 +594,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "57663b653d948a338bfb3eeba9bb2fd5fcfaecb9e199e87e1eda4d9e8b240fd9"
 dependencies = [
  "ciborium-io",
- "half 2.7.1",
+ "half",
 ]
 
 [[package]]
@@ -672,15 +672,14 @@ dependencies = [
 
 [[package]]
 name = "console"
-version = "0.15.11"
+version = "0.16.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "054ccb5b10f9f2cbf51eb355ca1d05c2d279ce1804688d0db74b4733a5aeafd8"
+checksum = "d64e8af5551369d19cf50138de61f1c42074ab970f74e99be916646777f8fc87"
 dependencies = [
  "encode_unicode",
  "libc",
- "once_cell",
  "unicode-width",
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -982,6 +981,7 @@ dependencies = [
  "axum 0.7.9",
  "blake3",
  "chrono",
+ "ciborium",
  "clap",
  "colored",
  "criterion",
@@ -994,7 +994,6 @@ dependencies = [
  "reqwest",
  "rustyline",
  "serde",
- "serde_cbor",
  "serde_json",
  "sha2",
  "tempfile",
@@ -1381,12 +1380,6 @@ dependencies = [
  "tracing",
 ]
 
-[[package]]
-name = "half"
-version = "1.8.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1b43ede17f21864e81be2fa654110bf1e793774238d86ef8555c37e6519c0403"
-
 [[package]]
 name = "half"
 version = "2.7.1"
@@ -1756,14 +1749,14 @@ dependencies = [
 
 [[package]]
 name = "indicatif"
-version = "0.17.11"
+version = "0.18.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "183b3088984b400f4cfac3620d5e076c84da5364016b4f49473de574b2586235"
+checksum = "25470f23803092da7d239834776d653104d551bc4d7eacaf31e6837854b8e9eb"
 dependencies = [
  "console",
- "number_prefix",
  "portable-atomic",
  "unicode-width",
+ "unit-prefix",
  "web-time",
 ]
 
@@ -2061,12 +2054,6 @@ dependencies = [
  "autocfg",
 ]
 
-[[package]]
-name = "number_prefix"
-version = "0.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "830b246a0e5f20af87141b25c173cd1b609bd7779a4617d6ec582abaf90870f3"
-
 [[package]]
 name = "once_cell"
 version = "1.21.4"
@@ -2789,9 +2776,9 @@ dependencies = [
 
 [[package]]
 name = "rustls-webpki"
-version = "0.103.12"
+version = "0.103.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8279bb85272c9f10811ae6a6c547ff594d6a7f3c6c6b02ee9726d1d0dcfcdd06"
+checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e"
 dependencies = [
  "ring",
  "rustls-pki-types",
@@ -2907,16 +2894,6 @@ dependencies = [
  "serde_derive",
 ]
 
-[[package]]
-name = "serde_cbor"
-version = "0.11.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2bef2ebfde456fb76bbcf9f59315333decc4fda0b2b44b420243c11e0f5ec1f5"
-dependencies = [
- "half 1.8.3",
- "serde",
-]
-
 [[package]]
 name = "serde_core"
 version = "1.0.228"
@@ -3675,6 +3652,12 @@ version = "0.2.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853"
 
+[[package]]
+name = "unit-prefix"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "81e544489bf3d8ef66c953931f56617f423cd4b5494be343d9b9d3dda037b9a3"
+
 [[package]]
 name = "untrusted"
 version = "0.9.0"
diff --git a/Cargo.toml b/Cargo.toml
index 225abe8..0bb43f5 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -35,7 +35,7 @@ thiserror = "2"
 # CLI
 clap = { version = "4", features = ["derive"] }
 colored = "3"
-indicatif = "0.17"
+indicatif = "0.18"
 
 # Logging
 tracing = "0.1"
@@ -67,7 +67,7 @@ uuid = { version = "1", features = ["v4", "serde"] }
 lazy_static = "1"
 
 # VeriSimDB integration (optional — behind "verisim" feature)
-serde_cbor = { version = "0.11", optional = true }
+ciborium = { version = "0.2", optional = true }
 sha2 = { version = "0.10", optional = true }
 
 # Chrono for timestamps
@@ -86,7 +86,7 @@ typed-wasm = { path = "crates/typed_wasm" }
 default = []
 chapel = []       # Enable Chapel parallel proof search (requires Zig FFI library)
 verisim = [     # Enable VeriSimDB persistent proof storage (8-modality octads)
-    "dep:serde_cbor",
+    "dep:ciborium",
     "dep:sha2",
 ]
 # Enable the live-prover test suite (tests/live_prover_suite.rs). Gated so that
diff --git a/src/rust/proof_encoding.rs b/src/rust/proof_encoding.rs
index ebfdd91..649c29e 100644
--- a/src/rust/proof_encoding.rs
+++ b/src/rust/proof_encoding.rs
@@ -24,12 +24,14 @@ use crate::provers::ProverKind;
 ///   - Self-describing (VeriSimDB can introspect without schema)
 ///   - Matches VeriSimDB's semantic modality expectation
 pub fn encode_proof_state_cbor(proof: &ProofState) -> Result<Vec<u8>> {
-    serde_cbor::to_vec(proof).context("Failed to CBOR-encode ProofState")
+    let mut buf = Vec::new();
+    ciborium::into_writer(proof, &mut buf).context("Failed to CBOR-encode ProofState")?;
+    Ok(buf)
 }
 
 /// Decode a ProofState from CBOR bytes.
 pub fn decode_proof_state_cbor(bytes: &[u8]) -> Result<ProofState> {
-    serde_cbor::from_slice(bytes).context("Failed to CBOR-decode ProofState")
+    ciborium::from_reader(bytes).context("Failed to CBOR-decode ProofState")
 }
 
 /// Generate a stable, content-addressed proof identity for use as a VeriSimDB octad key.