From a67bffa2b4f6835dbb3291b3ef5a1db32d278785 Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 14 Jul 2026 18:37:16 +0000 Subject: [PATCH] Log dependency-audit run to meta-audit history (2026-07-14) Second clean run of the day: cargo audit still 0 vulnerabilities across 329 crates, all deps unchanged and at latest. Same two recurring judgment-call findings (chess-engine staleness, dirs std-replaceable) logged for review; nothing auto-fixed. Co-Authored-By: Claude Sonnet 5 Claude-Session: https://claude.ai/code/session_01WRAeVSN6awQegyEYyM3KnY --- .claude/skills/meta-audit/history/dependency-audit.jsonl | 1 + 1 file changed, 1 insertion(+) diff --git a/.claude/skills/meta-audit/history/dependency-audit.jsonl b/.claude/skills/meta-audit/history/dependency-audit.jsonl index 7af739a2..e8842ee4 100644 --- a/.claude/skills/meta-audit/history/dependency-audit.jsonl +++ b/.claude/skills/meta-audit/history/dependency-audit.jsonl @@ -12,3 +12,4 @@ {"type":"eval_marker","date":"2026-07-13","pr_url":"https://github.com/stphung/quest/pull/739","runs_covered":5} {"type":"run","date":"2026-07-14","commit_sha":"86dddc38340e55d1116f0c025eca822da07c0e2e","pr_url":null,"agent_count":2,"scope":["Cargo.toml","Cargo.lock (gitignored, live lockfile only)","src/","tests/","benches/"],"findings":[{"location":"Cargo.toml:chess-engine","claim":"chess-engine 0.1.2 last published 2021-09-27 (only 3 releases ever), effectively abandoned upstream; direct dependency of the chess challenge minigame","correct_value":"observed via live crates.io API lookup at commit 86dddc38340e55d1116f0c025eca822da07c0e2e (2026-07-14): 0.1.2 is max_stable and no newer version exists, so nothing to update to; not in RUSTSEC advisory DB (1160 advisories loaded, cargo audit exit 0); recurring finding (also logged 2026-07-12); risk is abandonment, flagged for owner review (vendor or replace), no action taken","severity":"MEDIUM","category":"unmaintained-dep","auto_fixed":false},{"location":"Cargo.toml:serde_json float_roundtrip feature","claim":"float_roundtrip feature enabled with no greppable usage evidence (it is a parser-precision toggle with no API surface), making it look like an over-specified feature","correct_value":"state at commit 86dddc38340e55d1116f0c025eca822da07c0e2e: feature enabled in Cargo.toml; saves do serialize f64 (e.g. src/loom/types.rs:127 pub amount: f64), so the feature guarantees exact f64 round-trip of player save files through serde_json; it pulls no extra dependencies and costs only float-parse speed; assessed as intentional save-precision hardening and KEPT — removal flagged for owner review only (tiny save-fidelity risk for zero dependency reduction)","severity":"MEDIUM","category":"feature-review","auto_fixed":false},{"location":"Cargo.lock:rustls, Cargo.lock:zmij, Cargo.lock:mio (transitive)","claim":"compatible patch bumps became available upstream mid-audit: rustls 0.23.41 -> 0.23.42, zmij 1.0.21 -> 1.0.23, mio 1.2.1 -> 1.2.2 (published to crates.io between the Phase 1 agent's cargo update --dry-run, which showed 0 packages to lock, and the Phase 2 re-check ~1h later on 2026-07-14)","correct_value":"observed via live cargo update --dry-run runs at commit 86dddc38340e55d1116f0c025eca822da07c0e2e; Cargo.lock is gitignored and not re-derivable from git history; cargo update was applied to the local worktree lockfile for Phase 3 verification (make check), matching what CI resolves fresh on every run since no lockfile is committed — nothing committable resulted","severity":"LOW","category":"patch-bump","auto_fixed":true},{"location":"Cargo.lock:generic-array","claim":"generic-array locked at 0.14.7 while 0.14.9 is available as a semver-compatible patch; cargo update reports it as Unchanged (held back by a parent crate's constraint)","correct_value":"observed via live cargo update --dry-run/--verbose run at commit 86dddc38340e55d1116f0c025eca822da07c0e2e; Cargo.lock is gitignored and not re-derivable from git history; transitive dependency only, cargo update would lock 0 packages so this cannot be auto-bumped from this project's manifest; recurring finding (also logged 2026-07-11 and 2026-07-12)","severity":"LOW","category":"transitive-patch-lag","auto_fixed":false},{"location":"Cargo.lock:rand (transitive)","claim":"two major-line copies of rand coexist in the dependency graph: transitive rand 0.8.7 alongside the direct rand 0.10.2","correct_value":"observed via live Cargo.lock inspection at commit 86dddc38340e55d1116f0c025eca822da07c0e2e; Cargo.lock is gitignored and not re-derivable from git history; the 0.8.7 copy is pulled by a transitive parent (identified as phf_generator via criterion's html_reports plotters/csscolorparser chain in the 2026-07-11 run; cargo tree could not be re-run this time because the original audit worktree was pruned mid-run) and is not fixable from this project's Cargo.toml; recurring finding","severity":"LOW","category":"transitive-duplicate","auto_fixed":false}]} {"type":"run","date":"2026-07-14","commit_sha":"7fd912ef5513c20c8b0242a6bbcf65992021cc8d","pr_url":null,"agent_count":2,"scope":["Cargo.toml","Cargo.lock (gitignored, live lockfile only)","src/","tests/","benches/"],"findings":[{"location":"Cargo.toml:chess-engine","claim":"chess-engine 0.1.2 last published 2021-09-27 (only 3 releases ever, ~8k downloads), effectively stale upstream","correct_value":"observed via live crates.io API lookup at commit 7fd912ef5513c20c8b0242a6bbcf65992021cc8d: 0.1.2 is max_stable_version and max_version, no newer release exists to bump to; not present in RUSTSEC advisory DB (1160 advisories loaded, live cargo audit run exit 0 clean); recurring finding across prior runs; flagged for owner review (vendor or replace), no action taken since there is nothing to update to","severity":"MEDIUM","category":"unmaintained-dep","auto_fixed":false},{"location":"Cargo.toml:dirs","claim":"dirs crate's sole usage (src/core/paths.rs:24, dirs::home_dir()) is replaceable by std::env::home_dir(), which was un-deprecated with corrected cross-platform behavior as of Rust 1.85","correct_value":"state at commit 7fd912ef5513c20c8b0242a6bbcf65992021cc8d: installed toolchain is rustc 1.94.1, well past the 1.85 un-deprecation; dirs has exactly one call site in the whole tree; genuinely std-replaceable but left as-is (behavioral/toolchain-MSRV judgment call, not auto-fixed) pending owner review","severity":"LOW","category":"std-replaceable","auto_fixed":false},{"location":"Cargo.lock:tar","claim":"tar <=0.4.44 is affected by RUSTSEC-2026-0067 (unpack_in arbitrary chmod via symlink) and RUSTSEC-2026-0068 (PAX size-header desync), fixed in 0.4.45","correct_value":"observed via live cargo audit --deny yanked run at commit 7fd912ef5513c20c8b0242a6bbcf65992021cc8d: 0 vulnerabilities/warnings reported across 329 scanned crates; Cargo.lock is gitignored and not re-derivable from git history, but the live-resolved tar version is 0.4.46 (patched) so this is not an active exposure; noted for awareness only, no action needed","severity":"LOW","category":"security-mitigated","auto_fixed":false},{"location":"Cargo.lock:generic-array,block-buffer,crypto-common,rand@0.8.7","claim":"Cargo.lock (329 entries) contains orphaned entries not reachable from the live dependency graph (cargo tree -i returns nothing to print for these), including a stale generic-array 0.14.7 (0.14.9 available)","correct_value":"observed via live cargo update --dry-run --verbose and cargo tree -i --target=all -e normal,build,dev at commit 7fd912ef5513c20c8b0242a6bbcf65992021cc8d; Cargo.lock is gitignored and not re-derivable from git history; cargo update --dry-run reports 0 packages need locking, so nothing is actionable from this project's Cargo.toml; recurring low-severity noise from an unpruned lockfile","severity":"LOW","category":"transitive-patch-lag","auto_fixed":false}]} +{"type":"run","date":"2026-07-14","commit_sha":"8188785f2d50e5b3d023da3abec9f79cf43ccf84","pr_url":null,"agent_count":2,"scope":["Cargo.toml","Cargo.lock (gitignored, live lockfile only)","src/","tests/","benches/"],"findings":[{"location":"Cargo.toml:chess-engine","claim":"chess-engine 0.1.2 last published 2021-09-27 (only 3 releases ever), effectively stale upstream, recurring finding","correct_value":"observed via live crates.io API lookup at commit 8188785f2d50e5b3d023da3abec9f79cf43ccf84: 0.1.2 is still max_stable_version and max_version, no newer release exists to bump to; not present in RUSTSEC advisory DB (1160 advisories loaded, live cargo audit run exit 0 clean, 329 crates); GitHub archive status could not be checked this session (repo access to adam-mcdaniel/chess-engine not enabled); unchanged from the 2026-07-14 run at commit 7fd912e; flagged for owner review, no action taken since there is nothing to update to","severity":"MEDIUM","category":"unmaintained-dep","auto_fixed":false},{"location":"Cargo.toml:dirs","claim":"dirs crate's sole usage (src/core/paths.rs:24, dirs::home_dir()) remains replaceable by std::env::home_dir(), recurring finding","correct_value":"state at commit 8188785f2d50e5b3d023da3abec9f79cf43ccf84: unchanged from the 2026-07-14 run at commit 7fd912e (no commits touched src/core/paths.rs or Cargo.toml in between, confirmed via `git log --oneline 7fd912e..HEAD`); dirs 6.0.0 itself is actively maintained (published 2025-01-12; the withdrawn RUSTSEC-2020-0053 'unmaintained' advisory does not apply, cargo audit correctly does not flag it); left as-is pending owner review, not auto-fixed","severity":"LOW","category":"std-replaceable","auto_fixed":false},{"location":"Cargo.lock:tar","claim":"tar's historical RUSTSEC-2026-0067/0068 (fixed in 0.4.45) remains mitigated by the resolved lockfile version","correct_value":"observed via live cargo audit --deny yanked run at commit 8188785f2d50e5b3d023da3abec9f79cf43ccf84: 0 vulnerabilities/warnings across 329 scanned crates; Cargo.lock is gitignored and not re-derivable from git history, but live-resolved tar is 0.4.46 (patched), same as the 2026-07-14 run at commit 7fd912e; no action needed","severity":"LOW","category":"security-mitigated","auto_fixed":false},{"location":"Cargo.lock:generic-array,block-buffer,crypto-common,rand@0.8.7","claim":"Cargo.lock still contains the same orphaned/unreachable transitive entries as yesterday, not addressable from this project's Cargo.toml","correct_value":"observed via live cargo update --dry-run --verbose and cargo tree at commit 8188785f2d50e5b3d023da3abec9f79cf43ccf84; Cargo.lock is gitignored and not re-derivable from git history; cargo update --dry-run reports 0 packages need locking; unchanged from the 2026-07-14 run at commit 7fd912e; recurring low-severity lockfile noise, no action possible","severity":"LOW","category":"transitive-patch-lag","auto_fixed":false}]}