Skip to content

Bump rustls-webpki to 0.103.13 to fix GHSA-82j2-j2ch-gfr8 and GHSA-965h-392x-2mh5#1716

Merged
zlav merged 1 commit into
masterfrom
fix/bump-rustls-webpki-ghsa-82j2-j2ch-gfr8
May 26, 2026
Merged

Bump rustls-webpki to 0.103.13 to fix GHSA-82j2-j2ch-gfr8 and GHSA-965h-392x-2mh5#1716
zlav merged 1 commit into
masterfrom
fix/bump-rustls-webpki-ghsa-82j2-j2ch-gfr8

Conversation

@zlav
Copy link
Copy Markdown
Member

@zlav zlav commented May 26, 2026
edited
Loading

Overview

Bumps the rustls-webpki Rust crate from 0.103.3 to 0.103.13 to resolve security vulnerabilities reported upstream by the rustls project.

Re-authors Dependabot PR #1702 so CI can run with repository secrets (the dependabot run failed dependency-scan, Linux-arm-build, and integration-test because Dependabot PRs are denied access to FOSSA_API_KEY and GITHUB_TOKEN).

Acceptance criteria

rustls-webpki resolves to 0.103.13 in Cargo.lock and the Rust workspace continues to build.

Testing plan

  1. cargo check --release passes with the updated dependency (verified locally).
  2. CI build and dependency-scan jobs pass.

Risks

Minimal — patch version bump of an indirect dependency with no API changes on our side. Cargo.toml is unchanged; only Cargo.lock moves. The change also re-resolves five unrelated windows-sys transitive entries from 0.52.0 to 0.59.0 as a side-effect of running cargo update.

Metrics

N/A

References

Checklist

  • I added tests for this PR's change (or explained in the PR description why tests don't make sense).
    • No tests needed — this is a dependency version bump with no code changes.
  • If this PR introduced a user-visible change, I added documentation into docs/.
    • N/A — no user-visible change.
  • If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
    • N/A
  • If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an ## Unreleased section at the top.
    • N/A — internal dependency update only.
  • If I made changes to .fossa.yml or fossa-deps.{json,yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command.
    • N/A
  • If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.
    • N/A

@zlav @claude
Bump rustls-webpki to 0.103.13 to fix GHSA-82j2-j2ch-gfr8 and GHSA-96…
d31aa3c 
…5h-392x-2mh5

Updates rustls-webpki from 0.103.3 to 0.103.13 to pick up upstream
security fixes:

- GHSA-82j2-j2ch-gfr8: reachable panic in CRL parsing (0.103.13)
- GHSA-965h-392x-2mh5: URI name constraints (0.103.12)
- GHSA-xgp8-3hg3-c2mh: DNS wildcard name constraint (0.103.12)
- GHSA-pwjx-qhcg-rvj4: CRL Distribution Point selection (0.103.10)

Re-authors the dependabot PR #1702 so CI runs with secret access.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@zlav zlav requested a review from a team as a code owner May 26, 2026 21:54
@zlav zlav requested a review from GauravB159 May 26, 2026 21:54
@zlav zlav mentioned this pull request May 26, 2026
Closed
@zlav zlav removed the request for review from GauravB159 May 26, 2026 21:56
@zlav zlav enabled auto-merge (squash) May 26, 2026 22:11
@zlav zlav merged commit 874e0fc into master May 26, 2026
19 checks passed
@zlav zlav deleted the fix/bump-rustls-webpki-ghsa-82j2-j2ch-gfr8 branch May 26, 2026 22:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spatten spatten spatten approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zlav @spatten