Skip to content

Patch anyhow soundness advisory#46

Merged
AnthonyRonning merged 2 commits into
masterfrom
codex-maple-proxy-security-advisories-maple-proxy
Jul 12, 2026
Merged

Patch anyhow soundness advisory#46
AnthonyRonning merged 2 commits into
masterfrom
codex-maple-proxy-security-advisories-maple-proxy

Conversation

@AnthonyRonning

@AnthonyRonning AnthonyRonning commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Summary

  • require anyhow >=1.0.103 and refresh the lockfile from 1.0.102
  • bump Maple Proxy from 0.1.11 to 0.1.12 in a separate commit
  • eliminate RUSTSEC-2026-0190 from both release artifacts and downstream locked dependency resolution

Security impact

RustSec classifies this as an informational unsoundness warning affecting anyhow::Error::downcast_mut. Maple Proxy and OpenSecret SDK do not currently call the affected method, so no reachable production path was found, but the v0.1.11 artifacts still contained the affected crate version. Raising the manifest floor ensures the fix is not limited to this repository lockfile.

Closes #45.

Validation

  • fresh cargo audit against advisory DB commit e202964: 0 vulnerabilities, 0 warnings
  • nix develop -c just check
    • formatting passed
    • clippy passed with warnings denied
    • all 12 tests passed
  • nix develop -c cargo check --locked after the version bump

Open in Devin Review

Summary by CodeRabbit

  • Chores
    • Updated the crate release version to 0.1.12.
    • Refreshed a dependency version for improved compatibility and maintenance.

@coderabbitai

coderabbitai Bot commented Jul 12, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b3a753de-8a29-4ee6-9d04-2f311cb8aea3

📥 Commits

Reviewing files that changed from the base of the PR and between 0aed11b and 08ff3c8.

⛔ Files ignored due to path filters (1)
  • Cargo.lock is excluded by !**/*.lock
📒 Files selected for processing (1)
  • Cargo.toml

📝 Walkthrough

Walkthrough

Cargo.toml updates the crate version from 0.1.11 to 0.1.12 and changes the anyhow dependency constraint from 1.0 to 1.0.103.

Changes

Release and dependency update

Layer / File(s) Summary
Cargo metadata updates
Cargo.toml
The crate version is increased to 0.1.12, and anyhow is updated to 1.0.103.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

Poem

A bunny hops through Cargo’s hay,
“New version, fresh dependencies today!”
Anyhow gets a safer tune,
The crate blooms beneath the moon.
Hop, hop—release away!

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Linked Issues check ❓ Inconclusive The PR updates anyhow to 1.0.103, but Cargo.lock was excluded so dependency-resolution cleanup cannot be verified. Update Cargo.lock and any release artifacts to remove RUSTSEC-2026-0190 from the resolved dependency graph, or provide the excluded file for review.
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the dependency fix for the anyhow soundness advisory.
Out of Scope Changes check ✅ Passed The changes are limited to the anyhow bump and crate version update, which are in scope for the advisory fix.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex-maple-proxy-security-advisories-maple-proxy

Comment @coderabbitai help to get the list of available commands.

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

Open in Devin Review

@AnthonyRonning
AnthonyRonning merged commit 04c3ada into master Jul 12, 2026
22 checks passed
@AnthonyRonning
AnthonyRonning deleted the codex-maple-proxy-security-advisories-maple-proxy branch July 12, 2026 06:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

RUSTSEC-2026-0190: Unsoundness in Error::downcast_mut()

1 participant