Skip to content

Comments

fix(deps): update Cargo.lock to resolve RUSTSEC-2026-0013#62

Merged
bug-ops merged 3 commits intomainfrom
fix/update-dependencies-rustsec-2026-0013
Feb 20, 2026
Merged

fix(deps): update Cargo.lock to resolve RUSTSEC-2026-0013#62
bug-ops merged 3 commits intomainfrom
fix/update-dependencies-rustsec-2026-0013

Conversation

@bug-ops
Copy link
Owner

@bug-ops bug-ops commented Feb 20, 2026

Summary

  • Bump pyo3 to >=0.28.2 to fix memory corruption vulnerability (RUSTSEC-2026-0013)
  • Update transitive dependencies in Cargo.lock

Motivation

cargo deny check advisories fails on pyo3 0.28.0 due to type confusion when accessing data from subclasses of native Python types with abi3 feature targeting Python 3.12+. This blocks CI for all PRs (e.g. #60).

References

Test plan

  • cargo +nightly fmt --check passes
  • cargo clippy --workspace -- -D warnings passes
  • cargo nextest run --workspace — 461 tests pass
  • cargo deny check advisories should pass in CI

@github-actions github-actions bot added type: build Build system, dependencies, or tooling type: tooling Development tools, CI/CD, or infrastructure component: core feedparser-rs-core Rust library component: python Python bindings (PyO3) component: node Node.js bindings (napi-rs) component: dependencies Dependency updates or management lang: javascript JavaScript/TypeScript code size: XL Extra large PR (<1000 lines changed) labels Feb 20, 2026
@bug-ops
fix(deps): update Cargo.lock to resolve RUSTSEC-2026-0013
8ffe525 
Bump pyo3 and other transitive dependencies to fix memory corruption
vulnerability in pyo3 <0.28.2 affecting abi3 builds on Python 3.12+.

Closes #61
@bug-ops bug-ops force-pushed the fix/update-dependencies-rustsec-2026-0013 branch from d7046ff to 8ffe525 Compare February 20, 2026 02:01
@github-actions github-actions bot added size: M Medium PR (<200 lines changed) and removed size: XL Extra large PR (<1000 lines changed) labels Feb 20, 2026
@bug-ops
fix(deps): resolve minimatch ReDoS vulnerability (GHSA-3ppc-4f35-3m26)
a829a7a 
Add pnpm override for minimatch >=10.2.1, upgrade biome to 2.4.0
and migrate its configuration schema.
@github-actions github-actions bot added size: L Large PR (<500 lines changed) and removed size: M Medium PR (<200 lines changed) labels Feb 20, 2026
@bug-ops
fix(ci): switch security audit from npm to pnpm
a1a5503 
npm audit ignores pnpm overrides, causing false positives for
minimatch GHSA-3ppc-4f35-3m26. Use pnpm audit which respects
the overrides in package.json.
@github-actions github-actions bot added the component: ci CI/CD workflows and automation label Feb 20, 2026
@bug-ops bug-ops enabled auto-merge (squash) February 20, 2026 02:11
@bug-ops bug-ops merged commit b7d437c into main Feb 20, 2026
32 checks passed
@bug-ops bug-ops deleted the fix/update-dependencies-rustsec-2026-0013 branch February 20, 2026 02:17
This was referenced Feb 20, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

component: ci CI/CD workflows and automation component: core feedparser-rs-core Rust library component: dependencies Dependency updates or management component: node Node.js bindings (napi-rs) component: python Python bindings (PyO3) lang: javascript JavaScript/TypeScript code size: L Large PR (<500 lines changed) type: build Build system, dependencies, or tooling type: tooling Development tools, CI/CD, or infrastructure

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update pyo3 to fix RUSTSEC-2026-0013 (memory corruption)

1 participant

@bug-ops