From b73d04609e027920b36d350dcad6daddd7c5a1b5 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 15 Jul 2026 18:16:57 +0000 Subject: [PATCH] Log dependency-audit run from 2026-07-15 Clean run: no unused dependencies/features, no security advisories, every direct dependency already at its latest compatible version. Only note is a transitive generic-array patch bump blocked upstream by crypto-common's exact version pin, and chess-engine's long-stale (but non-advisory) release history. Co-Authored-By: Claude Sonnet 5 Claude-Session: https://claude.ai/code/session_01EerY6jpHyAeW4bFVxqt2Bm --- .claude/skills/meta-audit/history/dependency-audit.jsonl | 1 + 1 file changed, 1 insertion(+) diff --git a/.claude/skills/meta-audit/history/dependency-audit.jsonl b/.claude/skills/meta-audit/history/dependency-audit.jsonl index e8842ee4..af0ee095 100644 --- a/.claude/skills/meta-audit/history/dependency-audit.jsonl +++ b/.claude/skills/meta-audit/history/dependency-audit.jsonl @@ -13,3 +13,4 @@ {"type":"run","date":"2026-07-14","commit_sha":"86dddc38340e55d1116f0c025eca822da07c0e2e","pr_url":null,"agent_count":2,"scope":["Cargo.toml","Cargo.lock (gitignored, live lockfile only)","src/","tests/","benches/"],"findings":[{"location":"Cargo.toml:chess-engine","claim":"chess-engine 0.1.2 last published 2021-09-27 (only 3 releases ever), effectively abandoned upstream; direct dependency of the chess challenge minigame","correct_value":"observed via live crates.io API lookup at commit 86dddc38340e55d1116f0c025eca822da07c0e2e (2026-07-14): 0.1.2 is max_stable and no newer version exists, so nothing to update to; not in RUSTSEC advisory DB (1160 advisories loaded, cargo audit exit 0); recurring finding (also logged 2026-07-12); risk is abandonment, flagged for owner review (vendor or replace), no action taken","severity":"MEDIUM","category":"unmaintained-dep","auto_fixed":false},{"location":"Cargo.toml:serde_json float_roundtrip feature","claim":"float_roundtrip feature enabled with no greppable usage evidence (it is a parser-precision toggle with no API surface), making it look like an over-specified feature","correct_value":"state at commit 86dddc38340e55d1116f0c025eca822da07c0e2e: feature enabled in Cargo.toml; saves do serialize f64 (e.g. src/loom/types.rs:127 pub amount: f64), so the feature guarantees exact f64 round-trip of player save files through serde_json; it pulls no extra dependencies and costs only float-parse speed; assessed as intentional save-precision hardening and KEPT — removal flagged for owner review only (tiny save-fidelity risk for zero dependency reduction)","severity":"MEDIUM","category":"feature-review","auto_fixed":false},{"location":"Cargo.lock:rustls, Cargo.lock:zmij, Cargo.lock:mio (transitive)","claim":"compatible patch bumps became available upstream mid-audit: rustls 0.23.41 -> 0.23.42, zmij 1.0.21 -> 1.0.23, mio 1.2.1 -> 1.2.2 (published to crates.io between the Phase 1 agent's cargo update --dry-run, which showed 0 packages to lock, and the Phase 2 re-check ~1h later on 2026-07-14)","correct_value":"observed via live cargo update --dry-run runs at commit 86dddc38340e55d1116f0c025eca822da07c0e2e; Cargo.lock is gitignored and not re-derivable from git history; cargo update was applied to the local worktree lockfile for Phase 3 verification (make check), matching what CI resolves fresh on every run since no lockfile is committed — nothing committable resulted","severity":"LOW","category":"patch-bump","auto_fixed":true},{"location":"Cargo.lock:generic-array","claim":"generic-array locked at 0.14.7 while 0.14.9 is available as a semver-compatible patch; cargo update reports it as Unchanged (held back by a parent crate's constraint)","correct_value":"observed via live cargo update --dry-run/--verbose run at commit 86dddc38340e55d1116f0c025eca822da07c0e2e; Cargo.lock is gitignored and not re-derivable from git history; transitive dependency only, cargo update would lock 0 packages so this cannot be auto-bumped from this project's manifest; recurring finding (also logged 2026-07-11 and 2026-07-12)","severity":"LOW","category":"transitive-patch-lag","auto_fixed":false},{"location":"Cargo.lock:rand (transitive)","claim":"two major-line copies of rand coexist in the dependency graph: transitive rand 0.8.7 alongside the direct rand 0.10.2","correct_value":"observed via live Cargo.lock inspection at commit 86dddc38340e55d1116f0c025eca822da07c0e2e; Cargo.lock is gitignored and not re-derivable from git history; the 0.8.7 copy is pulled by a transitive parent (identified as phf_generator via criterion's html_reports plotters/csscolorparser chain in the 2026-07-11 run; cargo tree could not be re-run this time because the original audit worktree was pruned mid-run) and is not fixable from this project's Cargo.toml; recurring finding","severity":"LOW","category":"transitive-duplicate","auto_fixed":false}]} {"type":"run","date":"2026-07-14","commit_sha":"7fd912ef5513c20c8b0242a6bbcf65992021cc8d","pr_url":null,"agent_count":2,"scope":["Cargo.toml","Cargo.lock (gitignored, live lockfile only)","src/","tests/","benches/"],"findings":[{"location":"Cargo.toml:chess-engine","claim":"chess-engine 0.1.2 last published 2021-09-27 (only 3 releases ever, ~8k downloads), effectively stale upstream","correct_value":"observed via live crates.io API lookup at commit 7fd912ef5513c20c8b0242a6bbcf65992021cc8d: 0.1.2 is max_stable_version and max_version, no newer release exists to bump to; not present in RUSTSEC advisory DB (1160 advisories loaded, live cargo audit run exit 0 clean); recurring finding across prior runs; flagged for owner review (vendor or replace), no action taken since there is nothing to update to","severity":"MEDIUM","category":"unmaintained-dep","auto_fixed":false},{"location":"Cargo.toml:dirs","claim":"dirs crate's sole usage (src/core/paths.rs:24, dirs::home_dir()) is replaceable by std::env::home_dir(), which was un-deprecated with corrected cross-platform behavior as of Rust 1.85","correct_value":"state at commit 7fd912ef5513c20c8b0242a6bbcf65992021cc8d: installed toolchain is rustc 1.94.1, well past the 1.85 un-deprecation; dirs has exactly one call site in the whole tree; genuinely std-replaceable but left as-is (behavioral/toolchain-MSRV judgment call, not auto-fixed) pending owner review","severity":"LOW","category":"std-replaceable","auto_fixed":false},{"location":"Cargo.lock:tar","claim":"tar <=0.4.44 is affected by RUSTSEC-2026-0067 (unpack_in arbitrary chmod via symlink) and RUSTSEC-2026-0068 (PAX size-header desync), fixed in 0.4.45","correct_value":"observed via live cargo audit --deny yanked run at commit 7fd912ef5513c20c8b0242a6bbcf65992021cc8d: 0 vulnerabilities/warnings reported across 329 scanned crates; Cargo.lock is gitignored and not re-derivable from git history, but the live-resolved tar version is 0.4.46 (patched) so this is not an active exposure; noted for awareness only, no action needed","severity":"LOW","category":"security-mitigated","auto_fixed":false},{"location":"Cargo.lock:generic-array,block-buffer,crypto-common,rand@0.8.7","claim":"Cargo.lock (329 entries) contains orphaned entries not reachable from the live dependency graph (cargo tree -i returns nothing to print for these), including a stale generic-array 0.14.7 (0.14.9 available)","correct_value":"observed via live cargo update --dry-run --verbose and cargo tree -i --target=all -e normal,build,dev at commit 7fd912ef5513c20c8b0242a6bbcf65992021cc8d; Cargo.lock is gitignored and not re-derivable from git history; cargo update --dry-run reports 0 packages need locking, so nothing is actionable from this project's Cargo.toml; recurring low-severity noise from an unpruned lockfile","severity":"LOW","category":"transitive-patch-lag","auto_fixed":false}]} {"type":"run","date":"2026-07-14","commit_sha":"8188785f2d50e5b3d023da3abec9f79cf43ccf84","pr_url":null,"agent_count":2,"scope":["Cargo.toml","Cargo.lock (gitignored, live lockfile only)","src/","tests/","benches/"],"findings":[{"location":"Cargo.toml:chess-engine","claim":"chess-engine 0.1.2 last published 2021-09-27 (only 3 releases ever), effectively stale upstream, recurring finding","correct_value":"observed via live crates.io API lookup at commit 8188785f2d50e5b3d023da3abec9f79cf43ccf84: 0.1.2 is still max_stable_version and max_version, no newer release exists to bump to; not present in RUSTSEC advisory DB (1160 advisories loaded, live cargo audit run exit 0 clean, 329 crates); GitHub archive status could not be checked this session (repo access to adam-mcdaniel/chess-engine not enabled); unchanged from the 2026-07-14 run at commit 7fd912e; flagged for owner review, no action taken since there is nothing to update to","severity":"MEDIUM","category":"unmaintained-dep","auto_fixed":false},{"location":"Cargo.toml:dirs","claim":"dirs crate's sole usage (src/core/paths.rs:24, dirs::home_dir()) remains replaceable by std::env::home_dir(), recurring finding","correct_value":"state at commit 8188785f2d50e5b3d023da3abec9f79cf43ccf84: unchanged from the 2026-07-14 run at commit 7fd912e (no commits touched src/core/paths.rs or Cargo.toml in between, confirmed via `git log --oneline 7fd912e..HEAD`); dirs 6.0.0 itself is actively maintained (published 2025-01-12; the withdrawn RUSTSEC-2020-0053 'unmaintained' advisory does not apply, cargo audit correctly does not flag it); left as-is pending owner review, not auto-fixed","severity":"LOW","category":"std-replaceable","auto_fixed":false},{"location":"Cargo.lock:tar","claim":"tar's historical RUSTSEC-2026-0067/0068 (fixed in 0.4.45) remains mitigated by the resolved lockfile version","correct_value":"observed via live cargo audit --deny yanked run at commit 8188785f2d50e5b3d023da3abec9f79cf43ccf84: 0 vulnerabilities/warnings across 329 scanned crates; Cargo.lock is gitignored and not re-derivable from git history, but live-resolved tar is 0.4.46 (patched), same as the 2026-07-14 run at commit 7fd912e; no action needed","severity":"LOW","category":"security-mitigated","auto_fixed":false},{"location":"Cargo.lock:generic-array,block-buffer,crypto-common,rand@0.8.7","claim":"Cargo.lock still contains the same orphaned/unreachable transitive entries as yesterday, not addressable from this project's Cargo.toml","correct_value":"observed via live cargo update --dry-run --verbose and cargo tree at commit 8188785f2d50e5b3d023da3abec9f79cf43ccf84; Cargo.lock is gitignored and not re-derivable from git history; cargo update --dry-run reports 0 packages need locking; unchanged from the 2026-07-14 run at commit 7fd912e; recurring low-severity lockfile noise, no action possible","severity":"LOW","category":"transitive-patch-lag","auto_fixed":false}]} +{"type":"run","date":"2026-07-15","commit_sha":"df7e9a9a22263be3856f6d3f2c44902790ed52d7","pr_url":null,"agent_count":2,"scope":["Cargo.toml","Cargo.lock (gitignored, not committed)","src/","tests/","benches/"],"findings":[{"location":"Cargo.lock:generic-array","claim":"generic-array locked at 0.14.7 while 0.14.9 is published on crates.io","correct_value":"Observed via live `cargo update --dry-run --verbose`/`cargo update -p generic-array --precise 0.14.9` run (Cargo.lock is gitignored, not re-derivable from git history). Not fixable: crypto-common v0.1.7 requires generic-array with an exact pin `=0.14.7`, so 0.14.9 cannot be selected regardless of our own Cargo.toml. Transitive-only, no direct dependency involved, no security advisory.","severity":"LOW","category":"patch-bump-blocked-upstream","auto_fixed":false},{"location":"Cargo.toml:chess-engine","claim":"chess-engine has had no new release in ~5 years (last published 2021-09-27, only 3 versions ever)","correct_value":"Observed via live `cargo info chess-engine` / sparse-index cache run at commit df7e9a9. Not flagged by RustSec, upstream repo not archived. Maintenance-risk note only, no action taken.","severity":"LOW","category":"maintenance-risk","auto_fixed":false}]}