Skip to content

chore(deps): update rust crate anyhow to v1.0.103 [security]#321

Open
renovate[bot] wants to merge 1 commit into
v0.3-devfrom
renovate/crate-anyhow-vulnerability
Open

chore(deps): update rust crate anyhow to v1.0.103 [security]#321
renovate[bot] wants to merge 1 commit into
v0.3-devfrom
renovate/crate-anyhow-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
anyhow dependencies patch 1.0.861.0.103
anyhow dependencies patch 1.0.971.0.103
anyhow dependencies patch 1.0.1021.0.103
anyhow dependencies patch 1.0.981.0.103

Unsoundness in Error::downcast_mut()

RUSTSEC-2026-0190

More information

Details

Affected versions of this crate violate borrow rules, resulting in undefined behavior, when the user adds context to an error via Error::context and then later calls Error::downcast_mut on the returned Error.

The flaw was corrected in commit 6e8c000 by revising how the mutable reference is constructed, avoiding inclusion of a shared reference in the resulting borrow chain.

Example
use anyhow::Error;
use std::fmt;

#[derive(Debug)]
struct ErrorContext(&'static str);

impl fmt::Display for ErrorContext {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        fmt::Display::fmt(&self.0, f)
    }
}

fn main() {
    let mut error = Error::msg("inner error").context(ErrorContext("old context"));
    let context: &mut ErrorContext = error.downcast_mut().unwrap();
    context.0 = "new context";
    println!("{:?}", error);
}
Miri output
error: Undefined Behavior: trying to retag from <1538> for Unique permission at alloc602[0x38], but that tag only grants SharedReadOnly permission for this location
   --> src/ptr.rs:170:18
    |
170 |         unsafe { &mut *self.ptr.as_ptr() }
    |                  ^^^^^^^^^^^^^^^^^^^^^^^ this error occurs as part of retag at alloc602[0x38..0x48]
    |
    = help: this indicates a potential bug in the program: it performed an invalid operation, but the Stacked Borrows rules it violated are still experimental
    = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md for further information
help: <1538> was created by a SharedReadOnly retag at offsets [0x38..0x48]
   --> src/ptr.rs:89:18
    |
 89 |             ptr: NonNull::from(ptr),
    |                  ^^^^^^^^^^^^^^^^^^
    = note: stack backtrace:
            0: anyhow::ptr::Mut::<'_, ErrorContext>::deref_mut
                at src/ptr.rs:170:18: 170:41
            1: anyhow::error::<impl anyhow::Error>::downcast_mut::<ErrorContext>
                at src/error.rs:560:18: 560:46
            2: main
                at examples/downcast_mut.rs:15:38: 15:58

Severity

Unknown

References

This data is provided by OSV and the Rust Advisory Database (CC0 1.0).


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate

renovate Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: executor/Cargo.lock
Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path executor/Cargo.toml --package anyhow@1.0.102 --precise 1.0.103
    Updating crates.io index
error: failed to get `wasmparser` as a dependency of package `genvm v0.3.0 (/tmp/renovate/repos/github/genlayerlabs/genvm/executor)`

Caused by:
  failed to load source for dependency `wasmparser`

Caused by:
  unable to update /tmp/renovate/repos/github/genlayerlabs/genvm/executor/third-party/wasm-tools/crates/wasmparser

Caused by:
  failed to read `/tmp/renovate/repos/github/genlayerlabs/genvm/executor/third-party/wasm-tools/crates/wasmparser/Cargo.toml`

Caused by:
  No such file or directory (os error 2)

@github-actions github-actions Bot changed the base branch from main to v0.3-dev June 29, 2026 20:01
@CLAassistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@github-actions

Copy link
Copy Markdown
Contributor

👋 This PR targeted main, so I've retargeted it to the latest dev branch v0.3-dev.

main is protected and is only an alias of the latest release branch (v0.3-dev), kept in lockstep automatically. Active v0.3 work lands on v0.3-dev, which reaches v0.3.x through the standing release-gate PR once the cross-repo E2E matrix is green.

@renovate

renovate Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant