Bump anyhow to 1.0.103 for RUSTSEC-2026-0190#908
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the workspace’s pinned anyhow version to incorporate the upstream fix for RUSTSEC-2026-0190 (unsoundness in Error::downcast_mut() after adding context), and adjusts cargo-vet configuration so CI supply-chain gates can pass with the newer release.
Changes:
- Bump
anyhowfrom1.0.102to1.0.103inCargo.lock. - Add a
safe-to-deploycargo-vet exemption foranyhow 1.0.103insupply-chain/config.toml.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
supply-chain/config.toml |
Adds a cargo-vet exemption entry for anyhow 1.0.103 to satisfy policy despite the trusted publisher window ending earlier. |
Cargo.lock |
Updates the resolved anyhow package version/checksum to 1.0.103. |
There was a problem hiding this comment.
Did you instead consider adding this to the ignore list in deny.toml instead of bumping and exempting the new version? I guess both have their risks, so I don't really know what the better approach is either.
I think it might be slightly better to just audit the diff of the new version instead of exempting it, should be a bit easier with Jerry's cargo vet agent skills here.
7fc149c to
5413bea
Compare
anyhow 1.0.102 is flagged by RUSTSEC-2026-0190: an unsoundness in `Error::downcast_mut()` that can produce undefined behavior after `Error::context`. anyhow is a build-time dependency of partition-manager-macros, and the advisory fails the cargo-deny CI gate on every branch. 1.0.103 carries the upstream fix. Since it was published after the `trusted.anyhow` publisher window ends (2026-04-16), add a cargo-vet delta audit (1.0.102 -> 1.0.103) certifying it safe-to-deploy: the fix reads error fields through raw pointers via ptr::addr_of! instead of forming intermediate references, removing the aliasing UB. Assisted-by: GitHub Copilot:claude-opus-4.8
5413bea to
6b3d068
Compare
|
Good call — switched from the version exemption to a proper cargo-vet delta audit ( I reviewed the diff: it's the RUSTSEC-2026-0190 soundness fix — On the |
Summary
anyhow 1.0.102is flagged by RUSTSEC-2026-0190: an unsoundness inError::downcast_mut()that can produce undefined behavior when a caller adds context viaError::contextand later callsdowncast_muton the result.anyhowis a build-time dependency (viapartition-manager-macros), and the advisory currently fails thecargo-denyCI gate on every branch.1.0.103carries the upstream fix.Changes
Cargo.lock:anyhow 1.0.102 → 1.0.103(cargo update -p anyhow --precise 1.0.103).supply-chain/config.toml: add asafe-to-deploycargo-vet exemption foranyhow 1.0.103. The[[trusted.anyhow]]publisher window ends2026-04-16, and1.0.103was published after that, so it needs an explicit entry. (An alternative would be to extend the trusted window; happy to switch to that if preferred.)Testing
cargo deny --all-features --locked check advisories—advisories ok(previously failed on RUSTSEC-2026-0190).cargo vet --locked—Vetting Succeeded.cargo build --lockedsucceeds.