chore(security): resolve pyo3 advisory ignores + bump site ws/yaml#2131
Open
chaliy wants to merge 2 commits into
Open
chore(security): resolve pyo3 advisory ignores + bump site ws/yaml#2131chaliy wants to merge 2 commits into
chaliy wants to merge 2 commits into
Conversation
pyo3 and pyo3-async-runtimes are now at 0.29.0 (Cargo.lock), so the
RUSTSEC-2026-0176 (OOB read in PyList/PyTuple iterators) and
RUSTSEC-2026-0177 (missing Sync bound on PyCFunction::new_closure)
advisories no longer match any crate in the tree — both are patched in
pyo3 >=0.29. Remove the now-stale ignore entries from .cargo/audit.toml
and deny.toml, as their own comments instructed ("Remove on pyo3 0.29
bump").
Remaining ignores are all still-present, unfixable transitive deps:
RUSTSEC-2023-0071 (rsa Marvin, via russh), RUSTSEC-2023-0089
(atomic-polyfill unmaintained, via monty), RUSTSEC-2026-0173
(proc-macro-error2 unmaintained, bench-only via tabled).
Claude-Session: https://claude.ai/code/session_01CCnF1i7QRggAj9as2RWs8g
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
bashkit | 32b556f | Commit Preview URL Branch Preview URL |
Jun 28 2026, 01:37 AM |
Resolve two GitHub Dependabot security alerts on the site/ Astro project, both deep transitive dev dependencies: - ws (GHSA-96hv-2xvq-fx4p, high): memory-exhaustion DoS from tiny fragments/data chunks; affects >=8.0.0 <8.21.0. Pulled via wrangler > miniflare > ws. Pin to >=8.21.0. - yaml (GHSA-48c2-rrv3-qjmp, moderate): stack overflow via deeply nested YAML collections; affects >=2.0.0 <2.8.3. Pulled via @astrojs/check > @astrojs/language-server > volar-service-yaml > yaml-language-server > yaml. Pin to >=2.8.3 (resolves to 2.9.0). Both are build/deploy tooling only (not shipped in the site bundle), but Dependabot flags them. Added pnpm overrides alongside the existing esbuild/undici security pins. pnpm audit now reports no known vulnerabilities. Claude-Session: https://claude.ai/code/session_01CCnF1i7QRggAj9as2RWs8g
chaliy
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security dependency hygiene across both monitored ecosystems (cargo + the npm lockfiles GitHub still scans).
1. Drop resolved pyo3 advisory ignores (cargo)
pyo3andpyo3-async-runtimesare now at 0.29.0 inCargo.lock(landed via #2122). These advisories are "patched in pyo3 >= 0.29", so they no longer match any crate in the tree — their ignore entries in.cargo/audit.tomlanddeny.tomlare dead config:RUSTSEC-2026-0176— OOB read inPyList/PyTuplenth/nth_backRUSTSEC-2026-0177— missingSyncbound onPyCFunction::new_closureBoth entries carried explicit comments instructing removal "on pyo3 0.29 bump". Stale suppressions are a risk — they would silently re-mask the advisory if pyo3 were ever downgraded.
Remaining ignores all still point at present, unfixable transitive deps and are kept:
RUSTSEC-2023-0071(rsaMarvin, viarussh),RUSTSEC-2023-0089(atomic-polyfillunmaintained, viamonty),RUSTSEC-2026-0173(proc-macro-error2unmaintained, bench-only viatabled).2. Bump site ws/yaml to patched versions (npm)
Two GitHub Dependabot security alerts on the
site/Astro project, both deep transitive dev dependencies (build/deploy tooling, not shipped in the bundle):ws(GHSA-96hv-2xvq-fx4p, high): memory-exhaustion DoS; affects>=8.0.0 <8.21.0; viawrangler > miniflare > ws. Pinned>=8.21.0.yaml(GHSA-48c2-rrv3-qjmp, moderate): stack overflow via deeply nested collections; affects>=2.0.0 <2.8.3; via@astrojs/check > … > yaml. Pinned>=2.8.3(resolves 2.9.0).Added as pnpm
overridesalongside the existing esbuild/undici security pins.pnpm auditnow reports no known vulnerabilities forsite/.Verification
pyo3 = 0.29.0/pyo3-async-runtimes = 0.29.0confirmed inCargo.lock.pnpm auditclean forsite/after the override + lockfile regen.cargo-auditandcargo-deny check licenses sources(on networked runners) validate the cargo side.https://claude.ai/code/session_01CCnF1i7QRggAj9as2RWs8g