Skip to content

deps(security): CORE Dependabot — rustls-webpki 0.103.13 + rand 0.10.1 (lock-only, precise)#21

Merged
RMANOV merged 1 commit into
mainfrom
fix/dependabot-20260620-strix-core-precise
Jun 20, 2026
Merged

deps(security): CORE Dependabot — rustls-webpki 0.103.13 + rand 0.10.1 (lock-only, precise)#21
RMANOV merged 1 commit into
mainfrom
fix/dependabot-20260620-strix-core-precise

Conversation

@RMANOV

@RMANOV RMANOV commented Jun 20, 2026

Copy link
Copy Markdown
Owner

CORE security dependency update (precise, lock-only)

Resolves the rustls-webpki + rand Dependabot advisories with precise bumps only — no collateral.

Changes (Cargo.lock only)

  • rustls-webpki 0.103.10 → 0.103.13
  • rand 0.10.0 → 0.10.1 (+ uuid's rand edge, consistent)
  • windows-sys 0.52.0 and getrandom 0.4.2 preserved (no collateral downgrades)

git diff origin/main --name-status = M Cargo.lock only. No Cargo.toml / source / docs. lru / gix-fs / gix-features deferred (separate post-submit follow-up).

Why precise (option B)

An earlier broad re-resolve downgraded windows-sys (0.52→0.48, via colored) and getrandom (0.4.2→0.3.4, via tempfile). The codex-ADVOCATE diff-gate required preserving those for W4 evidence reproducibility ahead of the DIANA freeze. Achieved via rand@0.10.0 --precise 0.10.1 first, then rustls-webpki, then a no-op colored re-pin.

Verification

  • cargo build --workspace: green (9 crates)
  • cargo test --workspace: ~1006 passed / 0 failed / 4 ignored (two independent runs)
  • public-surface verification: passed

Gates

  • ADVOCATE spec-gate: 29d6d90b834a · diff-gate PASS: 05b7828c7ee4
  • Merge held for: live CI green + review + operator direct go.

🤖 Generated with Claude Code

…+ rand 0.10.1 (lock-only, no collateral downgrades)

ADVOCATE diff-gate option B (msg 76dda2c639e6): precise -p bumps only;
windows-sys 0.52.0 and getrandom 0.4.2 preserved from origin/main.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 20, 2026 14:59

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@RMANOV RMANOV merged commit a6a9520 into main Jun 20, 2026
10 checks passed
@RMANOV RMANOV deleted the fix/dependabot-20260620-strix-core-precise branch June 20, 2026 15:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants