Commit: 2f26d91 · Finding: DEP-01
Problem
cargo audit reports 3 live vulnerabilities against rustls-webpki 0.103.10 in Cargo.lock, pulled transitively through the iroh/quinn/reqwest TLS stack:
- RUSTSEC-2026-0098 — wildcard name-constraint bypass
- RUSTSEC-2026-0099 — URI name-constraint bypass
- RUSTSEC-2026-0104 — reachable panic in CRL parsing (DoS)
The relay's QUIC endpoint and any HTTPS client path run on this TLS stack.
Fix
cargo update -p rustls-webpki and see whether the resolver can bump to a patched release. If iroh's lockfile pin blocks that, bump iroh/iroh-relay/quinn to the latest patch releases, or add [patch.crates-io] for rustls-webpki in the workspace Cargo.toml.
After the bump, cargo audit should report 0 vulnerabilities for rustls-webpki.
Obvious fix — will be auto-PR'd once dependency path is resolved.
Commit:
2f26d91· Finding:DEP-01Problem
cargo auditreports 3 live vulnerabilities againstrustls-webpki 0.103.10inCargo.lock, pulled transitively through the iroh/quinn/reqwest TLS stack:The relay's QUIC endpoint and any HTTPS client path run on this TLS stack.
Fix
cargo update -p rustls-webpkiand see whether the resolver can bump to a patched release. If iroh's lockfile pin blocks that, bumpiroh/iroh-relay/quinnto the latest patch releases, or add[patch.crates-io]forrustls-webpkiin the workspaceCargo.toml.After the bump,
cargo auditshould report 0 vulnerabilities forrustls-webpki.Obvious fix — will be auto-PR'd once dependency path is resolved.