Skip to content

chore(deps): update openssl to 0.10.81 and rand 0.8 to 0.8.6 for residual advisories#78

Merged
sametd merged 1 commit into
mainfrom
chore/residual-dependency-alerts
Jul 8, 2026
Merged

chore(deps): update openssl to 0.10.81 and rand 0.8 to 0.8.6 for residual advisories#78
sametd merged 1 commit into
mainfrom
chore/residual-dependency-alerts

Conversation

@sametd

@sametd sametd commented Jul 8, 2026

Copy link
Copy Markdown
Member

Summary

Follow-up to #75/#76 clearing the remaining open Dependabot alerts (the original alert table truncated the openssl list with "View 3 more"):

Dependency From To Advisories Pulled in by
openssl 0.10.78 0.10.81 GHSA-phqj-4mhp-q6mq (needs ≥0.10.80), GHSA-xv59-967r-8726, GHSA-xp3w-r5p5-63rr (need ≥0.10.79) ldap3 → native-tls
rand (0.8 series) 0.8.5 0.8.6 GHSA-cq8v-f236-94qc (also covers >= 0.7.0, < 0.8.6) jsonwebtoken / rsa

Lockfile-only; MSRV-safe (openssl 0.10.81 declares 1.80, rand 0.8.6 declares none — both within rust-version 1.88).

After this, gh api .../dependabot/alerts should report zero open alerts.

Testing

  • cargo clippy --all-targets --all-features -- -D warnings
  • cargo test ✅ (all suites green)

Docs Preview
https://sites.ecmwf.int/docs/authotron/pull-requests/PR-78

…dual advisories

The previous security update targeted the advisory table's suggested
versions, but three further openssl advisories require >= 0.10.80
(GHSA-phqj-4mhp-q6mq, GHSA-xv59-967r-8726, GHSA-xp3w-r5p5-63rr), and
GHSA-cq8v-f236-94qc also covers the rand 0.8 series (< 0.8.6) pulled in
via jsonwebtoken. Both bumps are lockfile-only and MSRV-safe.
@sametd sametd force-pushed the chore/residual-dependency-alerts branch from 2c8d8fc to 22582e7 Compare July 8, 2026 17:35
@sametd sametd merged commit 92c67dc into main Jul 8, 2026
8 checks passed
@sametd sametd deleted the chore/residual-dependency-alerts branch July 8, 2026 17:38
sametd added a commit that referenced this pull request Jul 9, 2026
…dual advisories (#78)

The previous security update targeted the advisory table's suggested
versions, but three further openssl advisories require >= 0.10.80
(GHSA-phqj-4mhp-q6mq, GHSA-xv59-967r-8726, GHSA-xp3w-r5p5-63rr), and
GHSA-cq8v-f236-94qc also covers the rand 0.8 series (< 0.8.6) pulled in
via jsonwebtoken. Both bumps are lockfile-only and MSRV-safe.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant