fix(security): bump crossbeam-epoch 0.9.18 → 0.9.20 (RUSTSEC-2026-0204)#224
Merged
Conversation
Resolve a única vulnerabilidade que falha o job 'cargo audit' no CI: invalid pointer dereference no impl fmt::Pointer de Atomic/Shared (RUSTSEC-2026-0204). Correção do advisory: upgrade para >=0.9.20. Alteração restrita ao Cargo.lock (dependência transitiva; sem mudança de Cargo.toml nem de API). Os demais achados do audit (bincode unmaintained RUSTSEC-2025-0141, anyhow unsound RUSTSEC-2026-0190) são warnings e não falham o audit padrao. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019wEuw8HPQaDLGqfFQoNUQ4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Objetivo
Corrigir a única barreira vermelha do CI: o job
Dependency audit — cargo audit(.github/workflows/lint-guards.yml).Diagnóstico
O log do
cargo auditreportava 1 vulnerabilidade (exit 1) e 2 warnings:crossbeam-epoch0.9.18) é a única vulnerabilidade → causa o exit 1.cargo auditpadrão:bincode1.3.3 — unmaintained (RUSTSEC-2025-0141)anyhow1.0.102 — unsound (RUSTSEC-2026-0190)crossbeam-epoché uma dependência transitiva; não está na allowlist derust/.cargo/audit.toml.Alteração
cargo update -p crossbeam-epoch→0.9.18para0.9.20(versão corrigida indicada pelo advisory).rust/Cargo.lock(2 linhas: versão + checksum).Cargo.toml, sem mudança de API — bump patch dentro de0.9.x.rust/.cargo/audit.tomlnão precisou de alteração.Verificação
cargo update -p crossbeam-epoch --dry-runconfirmou0.9.18 -> 0.9.20.cargo audit(que agora deve sair 0) e dobuildfica a cargo dos jobs de CI deste PR — o bináriocargo-auditnão pôde ser executado no ambiente local.🤖 Generated with Claude Code
https://claude.ai/code/session_019wEuw8HPQaDLGqfFQoNUQ4
Generated by Claude Code