Skip to content

fix(deps): bump crossbeam-epoch to 0.9.20 for RUSTSEC-2026-0204 (#162)#163

Merged
kevincodex1 merged 1 commit into
mainfrom
fix/issue-162-bump-crossbeam-epoch
Jul 7, 2026
Merged

fix(deps): bump crossbeam-epoch to 0.9.20 for RUSTSEC-2026-0204 (#162)#163
kevincodex1 merged 1 commit into
mainfrom
fix/issue-162-bump-crossbeam-epoch

Conversation

@beardthelion

Copy link
Copy Markdown
Collaborator

Bumps crossbeam-epoch from 0.9.18 to 0.9.20 to clear RUSTSEC-2026-0204 (invalid pointer dereference in its fmt::Pointer impl for Atomic/Shared), which is hard-failing cargo audit on every branch since the advisory landed in the RustSec db.

crossbeam-epoch is a fully transitive dependency (moka -> hickory-resolver -> libp2p-dns); the advisory's prescribed fix is >= 0.9.20, and moka 0.12.15 accepts >=0.9.18, <0.10.0, so the bump resolves with no other graph changes. Lockfile-only, single crate.

This lands on main, so it clears the red cargo audit for every open PR at once.

Verified by execution:

  • cargo audit: exit 1 (RUSTSEC-2026-0204) before, exit 0 after.
  • cargo build --workspace: compiles clean with 0.9.20.
  • cargo test --workspace: 829 pass, 0 fail.

Closes #162.

RUSTSEC-2026-0204 (invalid pointer dereference in crossbeam-epoch's
fmt::Pointer impl for Atomic/Shared) hard-fails cargo audit on every branch,
since the advisory's addition to the RustSec db. crossbeam-epoch is a fully
transitive dependency (moka -> hickory-resolver -> libp2p-dns), and the
advisory's prescribed fix is >= 0.9.20; moka 0.12.15 accepts >=0.9.18,<0.10.0
so the bump resolves with no other graph changes.

Lockfile-only, single crate. Verified: cargo audit exits 0 and the workspace
builds clean with 0.9.20.

Closes #162.
@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • Cargo.lock is excluded by !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 42759c88-0b7f-4d5a-9125-75631f9829ab

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/issue-162-bump-crossbeam-epoch

Comment @coderabbitai help to get the list of available commands.

@beardthelion beardthelion added the kind:bug Defect fix — wrong or unsafe behavior label Jul 7, 2026

@jatmn jatmn left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution. I do not see any actionable issues from my review.

@kevincodex1 LGTM

@kevincodex1 kevincodex1 merged commit 67ad2b8 into main Jul 7, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

kind:bug Defect fix — wrong or unsafe behavior

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ci: cargo audit hard-fails repo-wide on RUSTSEC-2026-0204 (crossbeam-epoch); bump to 0.9.20

3 participants