security(deps): bump rustls-webpki->0.103.13 (GHSA-82j2-j2ch-gfr8, HIGH)

[hyperpolymath]

What

Lockfile-only bump of rustls-webpki from 0.103.10 to 0.103.13. No Cargo.toml, licence, SPDX, or .gitattributes files were touched — the only change is Cargo.lock (version + checksum for rustls-webpki).

Why

Resolves a HIGH-severity DoS in rustls-webpki:

• Advisory: GHSA-82j2-j2ch-gfr8 == RUSTSEC-2026-0104
• Severity: CVSS 7.5 HIGH
• Vulnerable: < 0.103.13 • Fixed: 0.103.13
• A malformed CRL BIT STRING can trigger a denial of service during certificate-revocation processing.

This resolves the repo's corresponding open Dependabot alert. Dependabot did not auto-PR this because rustls-webpki is a transitive / lockfile-only dependency (no direct entry in Cargo.toml), so the fix is a precise cargo update -p rustls-webpki --precise 0.103.13.

Residual

None. After the bump there are no rustls-webpki copies < 0.103.13 remaining in the lockfile (the repo had a single rustls-webpki entry).

Provenance / handling

• Commit is ssh-signed with the estate signing key.
• Branch was cut from fresh origin/main via a new shallow clone (not a local working copy).
• Only Cargo.lock is staged/changed.

Security PR -> manual review, do not auto-merge.

Generated with Claude Code.

[github-actions]

🔍 Hypatia Security Scan

Findings: 40 issues detected

Severity	Count
🔴 Critical	2
🟠 High	29
🟡 Medium	9

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "No test directory or test files found",
    "type": "no_tests",
    "file": "/home/runner/work/docmatrix/docmatrix",
    "action": "flag",
    "rule_module": "honest_completion",
    "severity": "high",
    "deduction": 20
  },
  {
    "reason": "codeql.yml lists `language: javascript-typescript` but the repo has no source files in any CodeQL-scannable language. The analyze job will exit 'no source files' on every run. Switch the matrix to `actions` (which scans workflow files — every repo has those).",
    "type": "codeql_language_matrix_mismatch",
    "file": "codeql.yml",
    "action": "switch_codeql_matrix_to_actions",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in scorecard-enforcer.yml",
    "type": "scorecard_publish_with_run_step",
    "file": "scorecard-enforcer.yml",
    "action": "split_scorecard_publish_job",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in instant-sync.yml",
    "type": "secret_action_without_presence_gate",
    "file": "instant-sync.yml",
    "action": "peter-evans/repository-dispatch",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in mirror.yml",
    "type": "secret_action_without_presence_gate",
    "file": "mirror.yml",
    "action": "webfactory/ssh-agent",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in mirror.yml",
    "type": "secret_action_without_presence_gate",
    "file": "mirror.yml",
    "action": "webfactory/ssh-agent",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in mirror.yml",
    "type": "secret_action_without_presence_gate",
    "file": "mirror.yml",
    "action": "webfactory/ssh-agent",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in mirror.yml",
    "type": "secret_action_without_presence_gate",
    "file": "mirror.yml",
    "action": "webfactory/ssh-agent",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in mirror.yml",
    "type": "secret_action_without_presence_gate",
    "file": "mirror.yml",
    "action": "webfactory/ssh-agent",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in mirror.yml",
    "type": "secret_action_without_presence_gate",
    "file": "mirror.yml",
    "action": "webfactory/ssh-agent",
    "rule_module": "workflow_audit",
    "severity": "high"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence