Skip to content

security: cargo update to resolve medium/low Dependabot (openssl, ring, idna, tokio, rand, bytes)#72

Open
jhamon wants to merge 3 commits into
mainfrom
security/bump-cargo-med-low
Open

security: cargo update to resolve medium/low Dependabot (openssl, ring, idna, tokio, rand, bytes)#72
jhamon wants to merge 3 commits into
mainfrom
security/bump-cargo-med-low

Conversation

@jhamon

@jhamon jhamon commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator

Summary

Resolves all 17 open medium/low Dependabot alerts on pinecone-rust-client (PIN-28 / PIN-39).

Root workspace (Cargo.lock):

Alert(s) Package Change Sev
#1 #5 #7 #22 #28 #29 openssl 0.10.64 → 0.10.81 medium
#6 ring 0.17.8 → 0.17.14 medium
#4 idna 0.5.0 → 1.1.0 (via url 2.5.2→2.5.4) medium
#14 #17 #18 rustls-webpki 0.102.5 → 0.102.8 medium/low
#9 tokio 1.38.1 → 1.42.1 low
#25 rand 0.8.5 → 0.8.7 low
#12 bytes 1.6.1 → 1.12.1 medium

codegen/proto_build/Cargo.lock:

Alert(s) Package Change Sev
#11 bytes 1.6.0 → 1.12.1 medium
#24 rand 0.8.5 → 0.8.7 low
#8 tokio 1.38.0 → 1.42.1 low

All bumps are within semver-compatible minor/patch ranges. Applied via cargo update -p <pkg>.

Verification

  • cargo build --lib ✅ (root workspace)
  • cargo build ✅ (codegen/proto_build)
  • Full test suite requires PINECONE_API_KEY (integration) — not run here.

…8/PIN-39)

Bumps in root workspace Cargo.lock:
- openssl  0.10.64 -> 0.10.81  (#1, #5, #7, #22, #28, #29 - multiple CVEs, medium)
- ring     0.17.8  -> 0.17.14  (#6, medium)
- idna     0.5.0   -> 1.1.0    (#4, medium; required url 2.5.2 -> 2.5.4)
- rustls-webpki 0.102.5 -> 0.102.8  (#14, #17, #18 - medium/low)
- tokio    1.38.1  -> 1.42.1   (#9, low)
- rand     0.8.5   -> 0.8.7    (#25, low)
- bytes    1.6.1   -> 1.12.1   (#12, medium)

codegen/proto_build/Cargo.lock also updated:
- bytes 1.6.0 -> 1.12.1  (#11)
- rand  0.8.5 -> 0.8.7   (#24)
- tokio 1.38.0 -> 1.42.1 (#8)

Verified: cargo build --lib passes in root workspace; cargo build passes in
codegen/proto_build. Full test suite requires PINECONE_API_KEY (integration).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
jhamon and others added 2 commits July 11, 2026 16:40
- derivable_impls: replace manual impl Default with #[derive(Default)]
  and #[default] on 7 generated OpenAPI model enums
- result_large_err: suppress with #[allow] on client()/default_client()
- needless_return: remove trailing return in build_source_tag

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adding Default to these enums pushed the derive attribute past the
100-char width, so rustfmt 1.9 wraps them onto multiple lines. Apply
cargo fmt to clear the failing Rustfmt CI check.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant