fix(deps): bump crossbeam-epoch to 0.9.20 for RUSTSEC-2026-0204 (#162)#163
Conversation
RUSTSEC-2026-0204 (invalid pointer dereference in crossbeam-epoch's fmt::Pointer impl for Atomic/Shared) hard-fails cargo audit on every branch, since the advisory's addition to the RustSec db. crossbeam-epoch is a fully transitive dependency (moka -> hickory-resolver -> libp2p-dns), and the advisory's prescribed fix is >= 0.9.20; moka 0.12.15 accepts >=0.9.18,<0.10.0 so the bump resolves with no other graph changes. Lockfile-only, single crate. Verified: cargo audit exits 0 and the workspace builds clean with 0.9.20. Closes #162.
|
Important Review skippedReview was skipped due to path filters ⛔ Files ignored due to path filters (1)
CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
jatmn
left a comment
There was a problem hiding this comment.
Thanks for the contribution. I do not see any actionable issues from my review.
@kevincodex1 LGTM
Bumps
crossbeam-epochfrom0.9.18to0.9.20to clearRUSTSEC-2026-0204(invalid pointer dereference in itsfmt::Pointerimpl forAtomic/Shared), which is hard-failingcargo auditon every branch since the advisory landed in the RustSec db.crossbeam-epochis a fully transitive dependency (moka -> hickory-resolver -> libp2p-dns); the advisory's prescribed fix is>= 0.9.20, andmoka 0.12.15accepts>=0.9.18, <0.10.0, so the bump resolves with no other graph changes. Lockfile-only, single crate.This lands on
main, so it clears the redcargo auditfor every open PR at once.Verified by execution:
cargo audit: exit 1 (RUSTSEC-2026-0204) before, exit 0 after.cargo build --workspace: compiles clean with0.9.20.cargo test --workspace: 829 pass, 0 fail.Closes #162.