Skip to content

chore(deps): bump rustls-webpki from 0.103.9 to 0.103.10 in the cargo group across 1 directory#3

Merged
hyperpolymath merged 1 commit into
mainfrom
dependabot/cargo/cargo-64b2a50fd2
Mar 23, 2026
Merged

chore(deps): bump rustls-webpki from 0.103.9 to 0.103.10 in the cargo group across 1 directory#3
hyperpolymath merged 1 commit into
mainfrom
dependabot/cargo/cargo-64b2a50fd2

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Mar 21, 2026

Bumps the cargo group with 1 update in the / directory: rustls-webpki.

Updates rustls-webpki from 0.103.9 to 0.103.10

Release notes

Sourced from rustls-webpki's releases.

0.103.10

Correct selection of candidate CRLs by Distribution Point and Issuing Distribution Point. If a certificate had more than one distributionPoint, then only the first distributionPoint would be considered against each CRL's IssuingDistributionPoint distributionPoint, and then the certificate's subsequent distributionPoints would be ignored.

The impact was that correct provided CRLs would not be consulted to check revocation. With UnknownStatusPolicy::Deny (the default) this would lead to incorrect but safe Error::UnknownRevocationStatus. With UnknownStatusPolicy::Allow this would lead to inappropriate acceptance of revoked certificates.

This vulnerability is thought to be of limited impact. This is because both the certificate and CRL are signed -- an attacker would need to compromise a trusted issuing authority to trigger this bug. An attacker with such capabilities could likely bypass revocation checking through other more impactful means (such as publishing a valid, empty CRL.)

More likely, this bug would be latent in normal use, and an attacker could leverage faulty revocation checking to continue using a revoked credential.

This vulnerability is identified by GHSA-pwjx-qhcg-rvj4. Thank you to @​1seal for the report.

What's Changed

Full Changelog: rustls/webpki@v/0.103.9...v/0.103.10

Commits
  • 348ce01 Prepare 0.103.10
  • dbde592 crl: fix authoritative_for() support for multiple URIs
  • 9c4838e avoid std::prelude imports
  • 009ef66 fix rust 1.94 ambiguous panic macro warnings
  • c41360d build(deps): bump taiki-e/cache-cargo-install-action from 2 to 3
  • e401d00 generate.py: reformat for black 2026.1.0
  • 06cedec Take semver-compatible deps
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump rustls-webpki in the cargo group across 1 directory
9b07d1e 
Bumps the cargo group with 1 update in the / directory: [rustls-webpki](https://github.com/rustls/webpki).


Updates `rustls-webpki` from 0.103.9 to 0.103.10
- [Release notes](https://github.com/rustls/webpki/releases)
- [Commits](rustls/webpki@v/0.103.9...v/0.103.10)

---
updated-dependencies:
- dependency-name: rustls-webpki
  dependency-version: 0.103.10
  dependency-type: indirect
  dependency-group: cargo
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Mar 21, 2026
@hyperpolymath hyperpolymath merged commit b8745eb into main Mar 23, 2026
11 of 19 checks passed
@hyperpolymath hyperpolymath deleted the dependabot/cargo/cargo-64b2a50fd2 branch March 23, 2026 07:22
This was referenced May 26, 2026
Closed
Merged
hyperpolymath added a commit that referenced this pull request May 26, 2026
@hyperpolymath @claude
docs(future-improvements): refresh status (4 of 10 items shipped) (#42)
600f6fc 
## Summary

\`FUTURE-IMPROVEMENTS.md\` was written on **2026-02-08** when
panic-attack was at **v1.0.0**, surveying ten Eclexia-scan-driven
improvement ideas. We're now at **v2.5.0**; four of the ten items have
shipped but the doc still presents them as future work.

This PR adds a status block at the top of the file and inline **Status:
SHIPPED** markers on the four landed sections, with file/line evidence
so a reader can verify the claims at a glance.

### Shipped (4)

| # | Improvement | Code reference |
|---|-------------|----------------|
| 1 | Test Code Exclusion | \`Analyzer::strip_cfg_test_modules_rs\` —
\`src/assail/analyzer.rs:923-934\` |
| 2 | Framework Detection Accuracy | \`Analyzer::detect_frameworks\` —
\`src/assail/analyzer.rs:4993\` |
| 3 | Safe Unwrap Variant Distinction | \`safe_unwrap_calls\` field on
\`ProgramStatistics\` / \`FileStatistics\` — \`src/types.rs:451,518\` |
| 6 | Differential Scanning | \`Commands::Diff\` — \`src/main.rs:483\`;
logic in \`src/report/diff.rs\` |

### Outstanding (6)

- **#4 Language-Specific Severity Calibration** — no "Hardened" tier
yet; *was* gated on #1+#3 (now both shipped, so genuinely unblocked).
- **#5 Workspace-Level Consolidated Reporting** — no Cargo workspace
mode in CLI.
- **#7 Allocation Site Context** — no \`AllocationCategory\` enum.
- **#8 Resource Dimension Awareness** — long-term, no plugin surface.
- **#9 Error Handling Maturity** — no metric yet.
- **#10 Configurable CI Thresholds** — no \`[thresholds]\` parser; *was*
gated on #1-4 (now mostly unblocked).

## Preservation

- The historical header (\`Date: 2026-02-08\`, \`Tool version:
panic-attack v1.0.0\`) is preserved as a historical record of what was
true at scan time.
- A new \`Audit refreshed: 2026-05-26\` line records when this status
update was performed.
- Body text of each improvement section is unchanged — only the priority
line on shipped items gets a "Status: SHIPPED" suffix.

## Test plan

- [x] Markdown renders correctly (status table, inline markers)
- [x] All cited file:line locations grep clean against current main
- [x] Signed commit

## Not in this PR

Acting on the now-unblocked items (#4, #10) is separate work. Filing
this hygiene update first so future planning has accurate ground truth.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hyperpolymath