chore(deps): re-bump crossbeam-epoch 0.9.18 → 0.9.20 (RUSTSEC-2026-0204)#154
Merged
Conversation
…204) Same fix as #148: the ADR-0004 crate cutover (059cc0a) re-resolved Cargo.lock and pulled the vulnerable 0.9.18 back in, so main's Security Audit job has been red since #126/#149 merged. Lockfile-only, semver-compatible; cargo audit now exits 0 with the CI ignore list. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Lockfile-only re-application of #148:
cargo update -p crossbeam-epoch --precise 0.9.20. 2 lines.Why
The ADR-0004 crate cutover (059cc0a, merged in the #126/#149 wave) re-resolved
Cargo.lockand pulled the RUSTSEC-2026-0204-vulnerable crossbeam-epoch 0.9.18 back in — clobbering #148's fix from earlier the same day. Main's Security Audit job has been red on every run since (#126 and #149 both merged with failing CI), and every PR branched from current main inherits the failure — e.g. #153 is 11/12 green with only this audit red.Verification
cargo auditwith the workflow's exact ignore list: exit 0 (6 allowed warnings only)cargo check -p ant-core: clean — semver-compatible, no resolution changes beyond the one crateAfter this merges, #153 (and any other open PR) goes fully green on rebase/re-run.
🤖 Generated with Claude Code