Skip to content

chore(deps): bump anyhow 1.0.102 → 1.0.103 (RUSTSEC-2026-0190, green main)#312

Merged
avrabe merged 3 commits into
mainfrom
chore/bump-anyhow-rustsec-2026-0190
Jul 1, 2026
Merged

chore(deps): bump anyhow 1.0.102 → 1.0.103 (RUSTSEC-2026-0190, green main)#312
avrabe merged 3 commits into
mainfrom
chore/bump-anyhow-rustsec-2026-0190

Conversation

@avrabe

@avrabe avrabe commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Why

Post-merge Security Audit on main is red. Root cause (from the job log):

  • cargo audit found 0 vulnerabilities — the scan is clean.
  • It surfaced 1 informational unsound warning: RUSTSEC-2026-0190, anyhow < 1.0.103 (Error::downcast_mut() unsoundness; advisory dated 2026-06-25, patched in 1.0.103) — it landed after the feat(network): sound cycle-quantized long-link CQF bound + synthesizer (REQ-TSN-SYNTH-CQF-LONGLINK-001) #311 PR run passed.
  • The rustsec/audit-check@v2 action then tried to create a check-run annotation for the warning and errored: Resource not accessible by integration ... create-a-check-run — the workflow GITHUB_TOKEN has only read scopes (no checks: write). So a benign informational warning became a red required check.

Fix

anyhow is a transitive dep (no crate manifest lists it). Bumping the lockfile 1.0.102 → 1.0.103 (semver-compatible) removes the unsoundness from our tree and the annotation trigger, greening main without changing CI token permissions. Lockfile-only, 2 lines.

🤖 Generated with Claude Code

avrabe and others added 2 commits July 1, 2026 13:16
The post-merge Security Audit on main went red — not on a vulnerability
(cargo-audit reports 0 found) but on a new informational `unsound` advisory:
RUSTSEC-2026-0190, anyhow < 1.0.103 `Error::downcast_mut()` unsoundness
(dated 2026-06-25, patched in 1.0.103). The `rustsec/audit-check` action then
tried to post a check-run annotation for the warning and failed with
"Resource not accessible by integration" because the workflow token lacks
`checks: write` — so a benign informational warning turned into a red required
check. anyhow is a transitive dep; bumping the lockfile to 1.0.103 removes the
unsoundness from our tree and the annotation trigger, greening main without
touching CI token permissions.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The lockfile bump left the existing `[[exemptions.anyhow]]` pinned at 1.0.102,
so cargo-vet rejected the now-unaudited 1.0.103. Re-pin the exemption to the
new version (transitive dep, same safe-to-deploy criteria).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

Rivet verification gate

20/20 passed

count
Passed 20
Failed 0
Skipped (no steps) 0

Filter: (and (= type "feature") (or (has-tag "v093") (has-tag "v0100")))

Failed artifacts

(none)

Updated automatically by tools/post_verification_comment.py. Source of truth: artifacts/verification.yaml.

@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@avrabe avrabe merged commit 3234624 into main Jul 1, 2026
18 checks passed
@avrabe avrabe deleted the chore/bump-anyhow-rustsec-2026-0190 branch July 1, 2026 16:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant