fix(security): remediate 8 Dependabot advisories (rustls-webpki, rand, aws-lc-sys)#112
Merged
Merged
Conversation
Current stable clippy (rust 1.96.0, which CI pulls via
dtolnay/rust-toolchain@stable) flags `clippy::collapsible_match` on the
message router's TOPIC arm, where an inner `if message.params.len() >= 2`
was nested directly inside the `"TOPIC" =>` match arm. Under
`cargo clippy --all-targets --all-features -- -D warnings` this fails the
CI clippy gate on the default branch, which would otherwise block this PR
from going green.
Hoist the length guard into the match arm itself
(`"TOPIC" if message.params.len() >= 2 =>`). Behavior is unchanged: a TOPIC
message with fewer than 2 params previously fell through the inner `if`
doing nothing, and now fails the guard and falls through to the existing
`_ => {}` arm — identical no-op. The arm body is dedented one level.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…isories Remediate all 8 open Dependabot alerts on the default branch. These are transitive dependencies; the fix is confined to Cargo.lock (no manifest constraint changes were required — all bumps are within the existing semver-compatible ranges). ## Advisories resolved - rustls-webpki 0.103.9 -> 0.103.13 - GHSA-82j2-j2ch-gfr8 (high) - GHSA-pwjx-qhcg-rvj4 (medium) - GHSA-965h-392x-2mh5 (low) - GHSA-xgp8-3hg3-c2mh (low) - aws-lc-sys 0.38.0 -> 0.41.0 (via aws-lc-rs 1.16.1 -> 1.17.0, whose aws-lc-sys ^0.38 requirement otherwise excluded the patched line) - GHSA-9f94-5g5w-gf6r (high) - GHSA-394x-vwmw-crm3 (high) - rand 0.8.5 -> 0.8.6 and rand 0.9.2 -> 0.9.3 - GHSA-cq8v-f236-94qc (low, both major lines) ## Verification - cargo build --workspace: 0 errors - cargo clippy --all-targets --all-features -- -D warnings: clean (after the preceding router.rs lint fix) - cargo test --workspace: 266 passed (18 suites) - No old vulnerable versions remain in Cargo.lock Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Files
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates several dependencies in Cargo.lock, including aws-lc-rs, aws-lc-sys, rand, and rustls-webpki. Additionally, it refactors the "TOPIC" message handling in crates/rustirc-core/src/router.rs to use a match guard instead of an inner if condition, simplifying the nesting structure. There are no review comments, and I have no additional feedback to provide.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR remediates Dependabot security advisories by updating vulnerable transitive Rust dependencies via Cargo.lock, and includes a small, behavior-preserving refactor in the core message router to satisfy clippy::collapsible_match under current stable Clippy.
Changes:
- Refactor TOPIC message handling in
ChannelHandlerto use a match guard instead of an innerif(no-op behavior preserved for short TOPIC messages). - Update
Cargo.lockto bumprustls-webpki,aws-lc-sys(and requiredaws-lc-rs), and bothrandmajor lines to patched versions addressing advisories.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| crates/rustirc-core/src/router.rs | Uses a match guard for TOPIC handling to satisfy Clippy without changing runtime behavior. |
| Cargo.lock | Updates transitive dependency versions to patched releases that resolve 8 Dependabot alerts. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Remediates all 8 open Dependabot alerts on
main(3 high, 1 moderate, 4 low). All are transitive dependencies; the security fix is confined toCargo.lock— no manifest constraint changes were needed (every bump is within the existing semver-compatible ranges).A second, prerequisite commit fixes a pre-existing
clippy::collapsible_matchlint that current stable clippy (1.96.0, which CI pulls viadtolnay/rust-toolchain@stable) flags inrouter.rs— without it the CI clippy gate (-D warnings) would block this PR from going green. That fix is behavior-preserving (see below).Advisories resolved
rustls-webpkiaws-lc-sysrandaws-lc-sys0.38 → patched line required bumping its parentaws-lc-rs1.16.1 → 1.17.0 (the only change beyond the four target packages), sinceaws-lc-rs 1.16.1pinnedaws-lc-sys ^0.38and excluded the patched 0.39+ line.Commits
fix(core)— hoist the TOPIC handler'sparams.len() >= 2check into a match guard ("TOPIC" if … =>). A short TOPIC message previously fell through the innerifas a no-op; it now fails the guard and falls through to the existing_ => {}arm — identical no-op, no behavior change.build(deps)— theCargo.lockadvisory bumps above.Verification (local, rust 1.96.0)
cargo build --workspace: 0 errorscargo clippy --all-targets --all-features -- -D warnings: cleancargo test --workspace: 266 passed (18 suites)Cargo.lock🤖 Generated with Claude Code