chore(deps): bump anyhow 1.0.102 → 1.0.103 (RUSTSEC-2026-0190, green main)#312
Merged
Conversation
The post-merge Security Audit on main went red — not on a vulnerability (cargo-audit reports 0 found) but on a new informational `unsound` advisory: RUSTSEC-2026-0190, anyhow < 1.0.103 `Error::downcast_mut()` unsoundness (dated 2026-06-25, patched in 1.0.103). The `rustsec/audit-check` action then tried to post a check-run annotation for the warning and failed with "Resource not accessible by integration" because the workflow token lacks `checks: write` — so a benign informational warning turned into a red required check. anyhow is a transitive dep; bumping the lockfile to 1.0.103 removes the unsoundness from our tree and the annotation trigger, greening main without touching CI token permissions. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The lockfile bump left the existing `[[exemptions.anyhow]]` pinned at 1.0.102, so cargo-vet rejected the now-unaudited 1.0.103. Re-pin the exemption to the new version (transitive dep, same safe-to-deploy criteria). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Rivet verification gate✅ 20/20 passed
Filter: Failed artifacts(none) Updated automatically by |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Post-merge Security Audit on main is red. Root cause (from the job log):
cargo auditfound 0 vulnerabilities — the scan is clean.unsoundwarning: RUSTSEC-2026-0190,anyhow< 1.0.103 (Error::downcast_mut()unsoundness; advisory dated 2026-06-25, patched in 1.0.103) — it landed after the feat(network): sound cycle-quantized long-link CQF bound + synthesizer (REQ-TSN-SYNTH-CQF-LONGLINK-001) #311 PR run passed.rustsec/audit-check@v2action then tried to create a check-run annotation for the warning and errored:Resource not accessible by integration ... create-a-check-run— the workflowGITHUB_TOKENhas only read scopes (nochecks: write). So a benign informational warning became a red required check.Fix
anyhowis a transitive dep (no crate manifest lists it). Bumping the lockfile 1.0.102 → 1.0.103 (semver-compatible) removes the unsoundness from our tree and the annotation trigger, greening main without changing CI token permissions. Lockfile-only, 2 lines.🤖 Generated with Claude Code