Skip to content

fix(security): patch rustls-webpki and rand vulnerabilities#3506

Open
amitksingh1490 wants to merge 1 commit into
mainfrom
fix/security-vulnerabilities
Open

fix(security): patch rustls-webpki and rand vulnerabilities#3506
amitksingh1490 wants to merge 1 commit into
mainfrom
fix/security-vulnerabilities

Conversation

@amitksingh1490

@amitksingh1490 amitksingh1490 commented Jun 13, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

No description provided.

@amitksingh1490 @forge-code-agent
fix(security): update rustls-webpki to 0.103.13 and rand to 0.8.6
6431bb5 
Addresses the following Dependabot security alerts:
- #38 (high): rustls-webpki DoS via panic on malformed CRL BIT STRING (fixed in 0.103.13)
- #36 (low): rustls-webpki name constraints accepted for wildcard certs (fixed in 0.103.12)
- #35 (low): rustls-webpki name constraints for URI names incorrectly accepted (fixed in 0.103.12)
- #37 (low): rand unsound with custom logger using rand::rng() (fixed in 0.8.6)

Note: hickory-proto (#42 high, #43 medium) requires reqwest 0.13.x which is
already tracked by PR #2956. esbuild alerts (#47, #48) are addressed by PR #3497.

Co-Authored-By: ForgeCode <noreply@forgecode.dev>
@amitksingh1490 amitksingh1490 added the type: fix Iterations on existing features or infrastructure. label Jun 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

type: fix Iterations on existing features or infrastructure.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@amitksingh1490