fix(deps): clear all 36 open Dependabot vulnerabilities#1045
Merged
Conversation
The dwctl/Cargo.lock had drifted significantly behind the workspace lock, causing Dependabot to flag ~22 vulnerabilities that were already addressed in the workspace's Cargo.lock. Regenerating brings in: - openssl 0.10.73 -> 0.10.79 (CVE-2026-41676/77/78/81/898) - rustls-webpki 0.103.4 -> 0.103.13 (GHSA-82j2-j2ch-gfr8 and webpki name-constraint issues) - quinn-proto 0.11.12 -> 0.11.14 (CVE-2026-31812) - bytes 1.10.1 -> 1.11.1 (CVE-2026-25541) - tar 0.4.44 -> 0.4.45 (CVE-2026-33055/56) - protobuf 2.28.0 -> 3.7.2 (CVE-2025-53605) - time 0.3.41 -> 0.3.47 (CVE-2026-25727) - rsa 0.9.8 -> 0.9.10 (CVE-2026-21895) - rand 0.8.5/0.9.2 -> 0.8.6/0.9.4 (GHSA-cq8v-f236-94qc) Remaining: jsonwebtoken (needs Cargo.toml major bump) and the transitive rustls-webpki 0.101.7 pulled in via aws-sdk-s3 -> hyper-rustls 0.24.
GHSA-h395-gr6q-cpjc: type confusion that can lead to authorization bypass. Patched in jsonwebtoken 10.3.0. Major-version migration changes: - jsonwebtoken 10 requires explicitly choosing a crypto backend; opted for the pure-Rust `rust_crypto` feature (matches the existing in-tree HMAC/SHA2 setup) rather than aws-lc-rs to keep the dep graph minimal. - ErrorKind::Crypto(_) was split into ErrorKind::Signing(_) and ErrorKind::Provider(_); both classified as server errors. - Added new variants ErrorKind::InvalidEddsaKey (server) and ErrorKind::InvalidClaimFormat(_) (client) introduced in 10.x.
Two transitive vulnerabilities were entering through aws-sdk-s3: 1. rustls-webpki 0.101.7 (GHSA-xgp8-3hg3-c2mh, GHSA-965h-392x-2mh5, GHSA-pwjx-qhcg-rvj4) — pulled in via the aws-sdk-s3 default feature `rustls`, which enables `aws-smithy-http-client/legacy-rustls-ring` and thereby the unmaintained rustls 0.21 / hyper-rustls 0.24 stack. 2. lru 0.12.5 (GHSA-rhfx-m35p-ff5j) — bundled by aws-sdk-s3 1.119; the 1.131 release upgrades to lru 0.16. Disabled aws-sdk-s3 default features and re-enabled the modern ones (`sigv4a`, `default-https-client`, `rt-tokio`), which routes through the modern rustls 0.23 / aws-lc-rs path. Then bumped to 1.131.0 so the lru 0.16 transitive landed. Verified `cargo check -p dwctl --tests` still passes; no source changes required since dwctl/src/connections/provider/s3.rs only uses the public client + config builder surface.
…postcss, picomatch, mdast-util-to-hast) Direct upgrades through `pnpm update` lifted vite, postcss, and picomatch to their patched versions: - vite 7.3.1 -> 7.3.2 (CVE-2026-39363/64/65: WebSocket file read, fs.deny query bypass, .map path traversal) - postcss 8.5.6 -> 8.5.10 (CVE-2026-41305: XSS via unescaped </style>) - picomatch 4.0.3 -> 4.0.4 (CVE-2026-33671/72: ReDoS, POSIX class injection) Two transitive deps stay pinned by their parents at vulnerable versions even though patched releases exist; added pnpm overrides to force them up: - lodash >= 4.18.0 (recharts pins ^4.17.21; CVE-2026-2950/4800, CVE-2025-13465: prototype pollution + code injection in _.template) - mdast-util-to-hast >= 13.2.1 (react-markdown pins ^13.0.0; CVE-2025-66400: unsanitized class attribute) `pnpm audit --prod` reports zero remaining vulnerabilities.
Deploying control-layer with
|
| Latest commit: |
92a329f
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://08ac1672.control-layer.pages.dev |
| Branch Preview URL: | https://fix-dependabot-vulnerabiliti.control-layer.pages.dev |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates Rust and dashboard dependencies to clear reported vulnerabilities across the monorepo, including the JWT library upgrade, the S3 SDK TLS path change, and frontend lockfile refreshes.
Changes:
- Upgraded
jsonwebtokento v10 and updated JWT error handling for the new error variants. - Reconfigured
aws-sdk-s3to avoid the legacy rustls stack while refreshing Rust lockfile dependencies. - Updated dashboard dependency resolutions and pnpm overrides to pull patched transitive packages.
Reviewed changes
Copilot reviewed 3 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
dwctl/src/auth/session.rs |
Adjusts JWT verification error mapping for jsonwebtoken v10. |
dwctl/Cargo.toml |
Updates Rust dependency declarations for JWT and S3 SDK handling. |
dashboard/pnpm-lock.yaml |
Refreshes frontend dependency graph and transitive resolutions. |
dashboard/package.json |
Bumps Vite and adds pnpm overrides for vulnerable transitive packages. |
Cargo.lock |
Regenerates workspace Rust lockfile to resolve patched crate versions. |
Files not reviewed (1)
- dashboard/pnpm-lock.yaml: Language not supported
Vite 7 (already in use prior to this PR) requires node ^20.19.0 || >=22.12.0, but neither dashboard/package.json nor the contributor docs called that out. Without an `engines` entry, contributors on Node 20.0–20.18 only discover the floor when install/build fails. - Add `engines.node` to dashboard/package.json matching Vite 7's range. - Tighten the copilot-instructions "Node.js 20+" line, which was already stale (Vite 7.3.1 had the same constraint as 7.3.2). Spotted by the GitHub Copilot reviewer on PR #1045.
sejori
pushed a commit
that referenced
this pull request
May 5, 2026
🤖 I have created a release *beep* *boop* --- ## [8.46.0](v8.45.0...v8.46.0) (2026-05-05) ### Features * **webhooks:** allow org members read-only access to org webhooks ([#1043](#1043)) ([4bf5b54](4bf5b54)) ### Bug Fixes * **deps:** clear all 36 open Dependabot vulnerabilities ([#1045](#1045)) ([fa79316](fa79316)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
1 task
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Clears all 36 open Dependabot alerts (13 high, 14 moderate, 9 low) across the Rust workspace and the dashboard. Done in 4 logically-grouped commits so each is independently reviewable.
chore(deps): regenerate dwctl/Cargo.lockdwctl/Cargo.lock. The file had drifted far behind the workspace lock; openssl, rustls-webpki, quinn-proto, bytes, tar, protobuf, time, rsa, and rand were all already patched in the workspace lock — they just hadn't propagated.fix(deps): bump jsonwebtoken 9 -> 10ErrorKindmatch-arm updates (Crypto(_)split intoSigning(_)/Provider(_); newInvalidEddsaKeyandInvalidClaimFormat(_)) and an explicit crypto-backend feature (rust_crypto).fix(deps): drop legacy rustls path from aws-sdk-s3, bump it to 1.131aws-sdk-s3: rustls-webpki 0.101.7 (via the defaultrustlsfeature → unmaintained rustls 0.21 stack) and lru 0.12.5. Disableddefault-featuresand re-enabled the moderndefault-https-clientpath; bumped to 1.131 so lru 0.16 lands.fix(deps): patch dashboard transitive vulnerabilitiespnpm updatelifted vite 7.3.2 / postcss 8.5.10 / picomatch 4.0.4. lodash and mdast-util-to-hast are pinned by parent packages (recharts, react-markdown) at vulnerable versions even though patched releases exist — added pnpm overrides for both.Vulnerabilities addressed
Rust: openssl (CVE-2026-41676/77/78/81/898), rustls-webpki (GHSA-82j2-j2ch-gfr8 + name-constraint issues), quinn-proto (CVE-2026-31812), jsonwebtoken (CVE-2026-25537), tar (CVE-2026-33055/56), bytes (CVE-2026-25541), protobuf (CVE-2025-53605), time (CVE-2026-25727), rsa (CVE-2026-21895), rand (GHSA-cq8v-f236-94qc), lru (GHSA-rhfx-m35p-ff5j).
npm: vite (CVE-2026-39363/64/65), lodash (CVE-2026-2950/4800, CVE-2025-13465), picomatch (CVE-2026-33671/72), postcss (CVE-2026-41305), mdast-util-to-hast (CVE-2025-66400). (glob and minimatch alerts were dev-only and dropped out automatically when their parent packages updated.)
Test plan
just lint rustpassescargo test --workspace --lib→ 1242 passed, 0 failedjust lint tspassesjust test ts→ 498 passed, 0 failedpnpm audit --prodreports zero vulnerabilities🤖 Generated with Claude Code