Skip to content

Bump anyhow to 1.0.103 for RUSTSEC-2026-0190#908

Open
dymk wants to merge 1 commit into
OpenDevicePartnership:mainfrom
dymk:dymk/bump-anyhow-rustsec
Open

Bump anyhow to 1.0.103 for RUSTSEC-2026-0190#908
dymk wants to merge 1 commit into
OpenDevicePartnership:mainfrom
dymk:dymk/bump-anyhow-rustsec

Conversation

@dymk

@dymk dymk commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

anyhow 1.0.102 is flagged by RUSTSEC-2026-0190: an unsoundness in Error::downcast_mut() that can produce undefined behavior when a caller adds context via Error::context and later calls downcast_mut on the result.

anyhow is a build-time dependency (via partition-manager-macros), and the advisory currently fails the cargo-deny CI gate on every branch. 1.0.103 carries the upstream fix.

Changes

  • Cargo.lock: anyhow 1.0.102 → 1.0.103 (cargo update -p anyhow --precise 1.0.103).
  • supply-chain/config.toml: add a safe-to-deploy cargo-vet exemption for anyhow 1.0.103. The [[trusted.anyhow]] publisher window ends 2026-04-16, and 1.0.103 was published after that, so it needs an explicit entry. (An alternative would be to extend the trusted window; happy to switch to that if preferred.)

Testing

  • cargo deny --all-features --locked check advisoriesadvisories ok (previously failed on RUSTSEC-2026-0190).
  • cargo vet --lockedVetting Succeeded.
  • cargo build --locked succeeds.

@dymk dymk requested a review from a team as a code owner July 2, 2026 21:41
Copilot AI review requested due to automatic review settings July 2, 2026 21:41
@dymk dymk requested a review from a team as a code owner July 2, 2026 21:41

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the workspace’s pinned anyhow version to incorporate the upstream fix for RUSTSEC-2026-0190 (unsoundness in Error::downcast_mut() after adding context), and adjusts cargo-vet configuration so CI supply-chain gates can pass with the newer release.

Changes:

  • Bump anyhow from 1.0.102 to 1.0.103 in Cargo.lock.
  • Add a safe-to-deploy cargo-vet exemption for anyhow 1.0.103 in supply-chain/config.toml.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
supply-chain/config.toml Adds a cargo-vet exemption entry for anyhow 1.0.103 to satisfy policy despite the trusted publisher window ending earlier.
Cargo.lock Updates the resolved anyhow package version/checksum to 1.0.103.

Comment thread supply-chain/config.toml Outdated

@kurtjd kurtjd left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you instead consider adding this to the ignore list in deny.toml instead of bumping and exempting the new version? I guess both have their risks, so I don't really know what the better approach is either.

I think it might be slightly better to just audit the diff of the new version instead of exempting it, should be a bit easier with Jerry's cargo vet agent skills here.

@dymk dymk force-pushed the dymk/bump-anyhow-rustsec branch from 7fc149c to 5413bea Compare July 2, 2026 22:19
anyhow 1.0.102 is flagged by RUSTSEC-2026-0190: an unsoundness in
`Error::downcast_mut()` that can produce undefined behavior after
`Error::context`. anyhow is a build-time dependency of
partition-manager-macros, and the advisory fails the cargo-deny CI gate
on every branch.

1.0.103 carries the upstream fix. Since it was published after the
`trusted.anyhow` publisher window ends (2026-04-16), add a cargo-vet
delta audit (1.0.102 -> 1.0.103) certifying it safe-to-deploy: the fix
reads error fields through raw pointers via ptr::addr_of! instead of
forming intermediate references, removing the aliasing UB.

Assisted-by: GitHub Copilot:claude-opus-4.8
@dymk dymk force-pushed the dymk/bump-anyhow-rustsec branch from 5413bea to 6b3d068 Compare July 3, 2026 02:43
@dymk

dymk commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

Good call — switched from the version exemption to a proper cargo-vet delta audit (1.0.102 -> 1.0.103, safe-to-deploy) in audits.toml.

I reviewed the diff: it's the RUSTSEC-2026-0190 soundness fix — object_downcast/context_chain_downcast now read the target field through a raw pointer (ptr::addr_of!) instead of forming an intermediate &ErrorImpl reference, which removes the aliasing UB exercised by downcast_mut (upstream also added a test_downcast_mut regression test; the rest is version/html_root_url bumps + CI config). Since anyhow 1.0.102 is still inside the [[trusted.anyhow]] publisher window, the delta chains cleanly to the trusted root. This keeps the repo at zero exemptions and doesn't churn imports.lock.

On the deny.toml ignore-list route — I skipped it because ignoring RUSTSEC-2026-0190 would keep the unsound 1.0.102 in the tree, whereas the bump actually fixes it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants