Skip to content

chore: bump crossbeam-epoch 0.9.18 -> 0.9.20 (RUSTSEC-2026-0204)#148

Merged
Nic-dorman merged 1 commit into
mainfrom
chore/sec-audit-bumps
Jul 9, 2026
Merged

chore: bump crossbeam-epoch 0.9.18 -> 0.9.20 (RUSTSEC-2026-0204)#148
Nic-dorman merged 1 commit into
mainfrom
chore/sec-audit-bumps

Conversation

@Nic-dorman

Copy link
Copy Markdown
Contributor

cargo audit on main now fails on RUSTSEC-2026-0204 — an invalid pointer dereference in crossbeam-epoch's fmt::Pointer impl for Atomic/Shared. The advisory was published after the 0.3.1 release, so it's newly reachable by the CI audit job (and by anyone building from main).

Fix per the advisory: upgrade to >=0.9.20. This is a transitive patch bump — lockfile-only, no manifest change. cargo audit is clean afterward (remaining items are allowed unmaintained warnings). quinn-proto is already at the patched 0.11.15 on main, so no other vulnerabilities remain.

Surfaced while bumping ant-sdk's ffi/antd onto ant-core 0.3.1 — fixing at the source so downstream consumers inherit it on the next release.

🤖 Generated with Claude Code

Fixes the one vulnerability flagged by `cargo audit` on main: an invalid
pointer dereference in crossbeam-epoch's `fmt::Pointer` impl. The advisory
was published after the 0.3.1 release, so main's audit now fails on it.
Transitive patch bump, lockfile-only, no manifest change; audit clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Nic-dorman
Nic-dorman merged commit cc714aa into main Jul 9, 2026
12 checks passed
@Nic-dorman
Nic-dorman deleted the chore/sec-audit-bumps branch July 9, 2026 13:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant