Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .claude/skills/meta-audit/history/dependency-audit.jsonl
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,4 @@
{"type":"eval_marker","date":"2026-07-13","pr_url":"https://github.com/stphung/quest/pull/739","runs_covered":5}
{"type":"run","date":"2026-07-14","commit_sha":"86dddc38340e55d1116f0c025eca822da07c0e2e","pr_url":null,"agent_count":2,"scope":["Cargo.toml","Cargo.lock (gitignored, live lockfile only)","src/","tests/","benches/"],"findings":[{"location":"Cargo.toml:chess-engine","claim":"chess-engine 0.1.2 last published 2021-09-27 (only 3 releases ever), effectively abandoned upstream; direct dependency of the chess challenge minigame","correct_value":"observed via live crates.io API lookup at commit 86dddc38340e55d1116f0c025eca822da07c0e2e (2026-07-14): 0.1.2 is max_stable and no newer version exists, so nothing to update to; not in RUSTSEC advisory DB (1160 advisories loaded, cargo audit exit 0); recurring finding (also logged 2026-07-12); risk is abandonment, flagged for owner review (vendor or replace), no action taken","severity":"MEDIUM","category":"unmaintained-dep","auto_fixed":false},{"location":"Cargo.toml:serde_json float_roundtrip feature","claim":"float_roundtrip feature enabled with no greppable usage evidence (it is a parser-precision toggle with no API surface), making it look like an over-specified feature","correct_value":"state at commit 86dddc38340e55d1116f0c025eca822da07c0e2e: feature enabled in Cargo.toml; saves do serialize f64 (e.g. src/loom/types.rs:127 pub amount: f64), so the feature guarantees exact f64 round-trip of player save files through serde_json; it pulls no extra dependencies and costs only float-parse speed; assessed as intentional save-precision hardening and KEPT — removal flagged for owner review only (tiny save-fidelity risk for zero dependency reduction)","severity":"MEDIUM","category":"feature-review","auto_fixed":false},{"location":"Cargo.lock:rustls, Cargo.lock:zmij, Cargo.lock:mio (transitive)","claim":"compatible patch bumps became available upstream mid-audit: rustls 0.23.41 -> 0.23.42, zmij 1.0.21 -> 1.0.23, mio 1.2.1 -> 1.2.2 (published to crates.io between the Phase 1 agent's cargo update --dry-run, which showed 0 packages to lock, and the Phase 2 re-check ~1h later on 2026-07-14)","correct_value":"observed via live cargo update --dry-run runs at commit 86dddc38340e55d1116f0c025eca822da07c0e2e; Cargo.lock is gitignored and not re-derivable from git history; cargo update was applied to the local worktree lockfile for Phase 3 verification (make check), matching what CI resolves fresh on every run since no lockfile is committed — nothing committable resulted","severity":"LOW","category":"patch-bump","auto_fixed":true},{"location":"Cargo.lock:generic-array","claim":"generic-array locked at 0.14.7 while 0.14.9 is available as a semver-compatible patch; cargo update reports it as Unchanged (held back by a parent crate's constraint)","correct_value":"observed via live cargo update --dry-run/--verbose run at commit 86dddc38340e55d1116f0c025eca822da07c0e2e; Cargo.lock is gitignored and not re-derivable from git history; transitive dependency only, cargo update would lock 0 packages so this cannot be auto-bumped from this project's manifest; recurring finding (also logged 2026-07-11 and 2026-07-12)","severity":"LOW","category":"transitive-patch-lag","auto_fixed":false},{"location":"Cargo.lock:rand (transitive)","claim":"two major-line copies of rand coexist in the dependency graph: transitive rand 0.8.7 alongside the direct rand 0.10.2","correct_value":"observed via live Cargo.lock inspection at commit 86dddc38340e55d1116f0c025eca822da07c0e2e; Cargo.lock is gitignored and not re-derivable from git history; the 0.8.7 copy is pulled by a transitive parent (identified as phf_generator via criterion's html_reports plotters/csscolorparser chain in the 2026-07-11 run; cargo tree could not be re-run this time because the original audit worktree was pruned mid-run) and is not fixable from this project's Cargo.toml; recurring finding","severity":"LOW","category":"transitive-duplicate","auto_fixed":false}]}
{"type":"run","date":"2026-07-14","commit_sha":"7fd912ef5513c20c8b0242a6bbcf65992021cc8d","pr_url":null,"agent_count":2,"scope":["Cargo.toml","Cargo.lock (gitignored, live lockfile only)","src/","tests/","benches/"],"findings":[{"location":"Cargo.toml:chess-engine","claim":"chess-engine 0.1.2 last published 2021-09-27 (only 3 releases ever, ~8k downloads), effectively stale upstream","correct_value":"observed via live crates.io API lookup at commit 7fd912ef5513c20c8b0242a6bbcf65992021cc8d: 0.1.2 is max_stable_version and max_version, no newer release exists to bump to; not present in RUSTSEC advisory DB (1160 advisories loaded, live cargo audit run exit 0 clean); recurring finding across prior runs; flagged for owner review (vendor or replace), no action taken since there is nothing to update to","severity":"MEDIUM","category":"unmaintained-dep","auto_fixed":false},{"location":"Cargo.toml:dirs","claim":"dirs crate's sole usage (src/core/paths.rs:24, dirs::home_dir()) is replaceable by std::env::home_dir(), which was un-deprecated with corrected cross-platform behavior as of Rust 1.85","correct_value":"state at commit 7fd912ef5513c20c8b0242a6bbcf65992021cc8d: installed toolchain is rustc 1.94.1, well past the 1.85 un-deprecation; dirs has exactly one call site in the whole tree; genuinely std-replaceable but left as-is (behavioral/toolchain-MSRV judgment call, not auto-fixed) pending owner review","severity":"LOW","category":"std-replaceable","auto_fixed":false},{"location":"Cargo.lock:tar","claim":"tar <=0.4.44 is affected by RUSTSEC-2026-0067 (unpack_in arbitrary chmod via symlink) and RUSTSEC-2026-0068 (PAX size-header desync), fixed in 0.4.45","correct_value":"observed via live cargo audit --deny yanked run at commit 7fd912ef5513c20c8b0242a6bbcf65992021cc8d: 0 vulnerabilities/warnings reported across 329 scanned crates; Cargo.lock is gitignored and not re-derivable from git history, but the live-resolved tar version is 0.4.46 (patched) so this is not an active exposure; noted for awareness only, no action needed","severity":"LOW","category":"security-mitigated","auto_fixed":false},{"location":"Cargo.lock:generic-array,block-buffer,crypto-common,rand@0.8.7","claim":"Cargo.lock (329 entries) contains orphaned entries not reachable from the live dependency graph (cargo tree -i returns nothing to print for these), including a stale generic-array 0.14.7 (0.14.9 available)","correct_value":"observed via live cargo update --dry-run --verbose and cargo tree -i --target=all -e normal,build,dev at commit 7fd912ef5513c20c8b0242a6bbcf65992021cc8d; Cargo.lock is gitignored and not re-derivable from git history; cargo update --dry-run reports 0 packages need locking, so nothing is actionable from this project's Cargo.toml; recurring low-severity noise from an unpruned lockfile","severity":"LOW","category":"transitive-patch-lag","auto_fixed":false}]}
{"type":"run","date":"2026-07-14","commit_sha":"8188785f2d50e5b3d023da3abec9f79cf43ccf84","pr_url":null,"agent_count":2,"scope":["Cargo.toml","Cargo.lock (gitignored, live lockfile only)","src/","tests/","benches/"],"findings":[{"location":"Cargo.toml:chess-engine","claim":"chess-engine 0.1.2 last published 2021-09-27 (only 3 releases ever), effectively stale upstream, recurring finding","correct_value":"observed via live crates.io API lookup at commit 8188785f2d50e5b3d023da3abec9f79cf43ccf84: 0.1.2 is still max_stable_version and max_version, no newer release exists to bump to; not present in RUSTSEC advisory DB (1160 advisories loaded, live cargo audit run exit 0 clean, 329 crates); GitHub archive status could not be checked this session (repo access to adam-mcdaniel/chess-engine not enabled); unchanged from the 2026-07-14 run at commit 7fd912e; flagged for owner review, no action taken since there is nothing to update to","severity":"MEDIUM","category":"unmaintained-dep","auto_fixed":false},{"location":"Cargo.toml:dirs","claim":"dirs crate's sole usage (src/core/paths.rs:24, dirs::home_dir()) remains replaceable by std::env::home_dir(), recurring finding","correct_value":"state at commit 8188785f2d50e5b3d023da3abec9f79cf43ccf84: unchanged from the 2026-07-14 run at commit 7fd912e (no commits touched src/core/paths.rs or Cargo.toml in between, confirmed via `git log --oneline 7fd912e..HEAD`); dirs 6.0.0 itself is actively maintained (published 2025-01-12; the withdrawn RUSTSEC-2020-0053 'unmaintained' advisory does not apply, cargo audit correctly does not flag it); left as-is pending owner review, not auto-fixed","severity":"LOW","category":"std-replaceable","auto_fixed":false},{"location":"Cargo.lock:tar","claim":"tar's historical RUSTSEC-2026-0067/0068 (fixed in 0.4.45) remains mitigated by the resolved lockfile version","correct_value":"observed via live cargo audit --deny yanked run at commit 8188785f2d50e5b3d023da3abec9f79cf43ccf84: 0 vulnerabilities/warnings across 329 scanned crates; Cargo.lock is gitignored and not re-derivable from git history, but live-resolved tar is 0.4.46 (patched), same as the 2026-07-14 run at commit 7fd912e; no action needed","severity":"LOW","category":"security-mitigated","auto_fixed":false},{"location":"Cargo.lock:generic-array,block-buffer,crypto-common,rand@0.8.7","claim":"Cargo.lock still contains the same orphaned/unreachable transitive entries as yesterday, not addressable from this project's Cargo.toml","correct_value":"observed via live cargo update --dry-run --verbose and cargo tree at commit 8188785f2d50e5b3d023da3abec9f79cf43ccf84; Cargo.lock is gitignored and not re-derivable from git history; cargo update --dry-run reports 0 packages need locking; unchanged from the 2026-07-14 run at commit 7fd912e; recurring low-severity lockfile noise, no action possible","severity":"LOW","category":"transitive-patch-lag","auto_fixed":false}]}
Loading