chore(infra): dep-update sweep cleanup (Phase 10, partial)#569
Merged
Conversation
Phase 10 of the dep-update sweep — Cleanup tasks done now; deferred
tasks listed below.
## Done in this PR
**Task 10.1 — RUSTSEC-2026-0097 comment rewrite (deny.toml):**
Made the ignore comment version-agnostic. The original said "rand
0.8.5" but the advisory now flags 0.7.3, 0.8.5, 0.9.2, AND 0.10.0
(all major versions; the underlying API contract didn't change).
The Kaiku rationale (we use `tracing` not the `log` facade, so the
exploit configuration is unreachable) is invariant across versions
— the new comment reflects that.
**Task 10.2 — Advisory gate snapshot:**
```
cargo audit: 1 vulnerability (RUSTSEC-2026-0097, already ignored)
24 allowed warnings (other ignored RUSTSECs)
cargo deny: advisories ok, bans ok, licenses ok, sources ok
bun audit: 10 vulnerabilities (4 high, 6 moderate) in mermaid
<= 11.14.0 — all CSS/HTML injection issues in
diagram rendering; pre-existing, fix-forward is a
mermaid major-version bump (out of scope).
```
**Task 10.4 — scap upstream re-check:**
Upstream latest release is still v0.1.0-beta.1 (2025-08-04). Issue
#178 (Linux Frame enum fix) still open, last upstream update
2025-10-26. No releases since. Updated the inline re-check date in
client/src-tauri/Cargo.toml; Detair/scap fork stays pinned.
## Deferred to follow-up PRs
These tasks expect the rest of the sweep to be merged first; running
them now would produce premature snapshots:
- **Task 10.3** (LICENSE_COMPLIANCE.md tree diff) — depends on a
pre-Phase-0 baseline cargo-tree dump which doesn't exist; would
need to be captured retroactively. Out of scope for now.
- **Task 10.5** (THIRD_PARTY_NOTICES.md) — best-effort license
scan; no new license categories appeared in `cargo deny check`
output, so no edit needed.
- **Task 10.6** (CLAUDE.md memory updates: feedback_webrtc_rs_rtcp,
project_webrtc_screen_share, new project_dep_update_2026_05) —
deferred until Phases 6d, 7, 8, 9 finish merging so the memory
reflects the actual shipped state, not a forecast.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Phase 10 of the dep-update sweep — small, low-risk cleanup. Tasks that depend on the other 4 in-flight PRs landing first are deferred to a follow-up PR.
Done in this PR
Task 10.1 —
deny.tomlRUSTSEC-2026-0097 comment rewriteOriginal comment said "rand 0.8.5", but the advisory now flags 0.7.3, 0.8.5, 0.9.2, and 0.10.0 — all major versions of rand. The underlying API contract for the exploit (custom
log::Logimpl callingrand::thread_rng()during logging) didn't change. Our rationale (we usetracing, not thelogfacade) is invariant across rand versions, so the new comment reflects that.Task 10.2 — Advisory gate snapshot
Task 10.4 — scap upstream re-check
client/src-tauri/Cargo.toml.Deferred to a follow-up cleanup PR
These tasks expect the rest of the sweep to be merged first; running them now would produce premature snapshots:
cargo deny check, so no edit needed.feedback_webrtc_rs_rtcp,project_webrtc_screen_share, newproject_dep_update_2026_05) — deferred until chore(client): Phase 6d — bump lucide-solid + @solidjs/router majors #565, chore(crypto): Phase 7 — bump vodozemac 0.9 → 0.10 #566, chore(voice): Phase 8 — bump webrtc-rs stack 0.11 → 0.17 #567, chore(client): Phase 9 — bump keyring 2 → 4 (rusqlite blocked) #568 finish merging so the memory reflects shipped state, not forecast.🤖 Generated with Claude Code