chore(deps): update bytes to 1.11.1 to fix RUSTSEC-2026-0007#7986
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the bytes crate dependency from 1.11.0 to 1.11.1 to address a security vulnerability (RUSTSEC-2026-0007) involving an integer overflow in BytesMut::reserve. The PR also pins the cargo-deny version in the CI workflow.
Changes:
- Updated
bytescrate to fix integer overflow vulnerability - Pinned
cargo-denytool version to 0.18.6 in GitHub Actions workflow
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Summary of ChangesHello @jdx, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request performs a crucial dependency update to enhance the project's security. By upgrading the Highlights
Changelog
Ignored Files
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
Fixes integer overflow vulnerability in `BytesMut::reserve`. Also removes stale RUSTSEC-2026-0002 ignore (lru issue was fixed upstream). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
jdx
force-pushed
the
fix/bytes-vulnerability
branch
from
6785333 to
009fbb5
Compare
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the bytes crate from version 1.11.0 to 1.11.1 to address the security vulnerability RUSTSEC-2026-0007. The change in Cargo.lock is correct and effectively mitigates the reported integer overflow issue. This is a good security practice and the change is approved.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| { id = "RUSTSEC-2024-0370", reason = "proc-macro-error dependency from sigstore crate - no safe upgrade available" }, | ||
| { id = "RUSTSEC-2023-0071", reason = "rsa crate Marvin attack vulnerability from sigstore crate - no safe upgrade available" }, | ||
| { id = "RUSTSEC-2025-0119", reason = "number_prefix crate is unmaintained - used by indicatif/self_update, no safe upgrade available" }, | ||
| { id = "RUSTSEC-2026-0002", reason = "lru crate soundness issue - used by aws-sdk-s3, waiting for upstream fix" }, |
There was a problem hiding this comment.
Undocumented removal of unrelated security advisory ignore
Medium Severity
The ignore entry for RUSTSEC-2026-0002 (lru crate soundness issue) was removed, but this change is completely unrelated to the stated PR purpose of updating bytes to fix RUSTSEC-2026-0007. The project still uses lru version 0.16.3 which the advisory affects. The original comment indicated "waiting for upstream fix" - if the fix is now available this removal may be intentional, but it's undocumented in the PR description. This appears to be an accidental deletion during editing of this security configuration file.
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.2.2 x -- echo |
21.6 ± 0.4 | 20.5 | 24.1 | 1.00 |
mise x -- echo |
22.1 ± 0.8 | 20.5 | 28.7 | 1.03 ± 0.04 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.2.2 env |
20.9 ± 0.8 | 19.9 | 27.6 | 1.00 |
mise env |
21.7 ± 0.6 | 20.5 | 24.7 | 1.04 ± 0.05 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.2.2 hook-env |
21.9 ± 0.5 | 20.7 | 25.8 | 1.00 |
mise hook-env |
22.4 ± 0.6 | 21.1 | 24.4 | 1.03 ± 0.04 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.2.2 ls |
19.3 ± 0.4 | 18.4 | 20.9 | 1.00 |
mise ls |
19.7 ± 0.4 | 18.9 | 21.4 | 1.02 ± 0.03 |
xtasks/test/perf
| Command | mise-2026.2.2 | mise | Variance |
|---|---|---|---|
| install (cached) | 115ms | 113ms | +1% |
| ls (cached) | 71ms | 71ms | +0% |
| bin-paths (cached) | 76ms | 75ms | +1% |
| task-ls (cached) | 539ms | 550ms | -2% |
### 🐛 Bug Fixes - **(install)** allow pipx/npm/cargo/asdf backends to work in locked mode by @jdx in [#7985](#7985) ### 📦️ Dependency Updates - update bytes to 1.11.1 to fix RUSTSEC-2026-0007 by @jdx in [#7986](#7986) ### 📦 Registry - add mermaid-ascii by @TyceHerrman in [#7984](#7984) - add godot ([aqua:godotengine/godot](https://github.com/godotengine/godot)) by @dmarcoux in [#7989](#7989) - add julia (http:julia) by @quinnj in [#7990](#7990) ### New Contributors - @quinnj made their first contribution in [#7990](#7990) - @dmarcoux made their first contribution in [#7989](#7989) ## 📦 Aqua Registry Updates #### New Packages (2) - [`chainloop-dev/chainloop`](https://github.com/chainloop-dev/chainloop) - [`redhat.com/openshift-install`](https://github.com/redhat.com/openshift-install)
## Summary - Update `bytes` crate from 1.11.0 to 1.11.1 - Fixes integer overflow vulnerability in `BytesMut::reserve` (RUSTSEC-2026-0007) ## Test plan - [x] `cargo deny check` passes 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Updates a foundational Rust dependency (`bytes`), which can have broad impact on buffer/memory behavior even as a patch release. Change is low in scope but could surface subtle runtime or compatibility regressions in consumers. > > **Overview** > Updates the `bytes` crate in `Cargo.lock` from `1.11.0` to `1.11.1` (refreshing the associated checksum) to pick up the latest fixes. > > Removes the `RUSTSEC-2026-0002` advisory ignore entry from `deny.toml`, tightening `cargo deny` advisory enforcement. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 009fbb5. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
### 🐛 Bug Fixes - **(install)** allow pipx/npm/cargo/asdf backends to work in locked mode by @jdx in [jdx#7985](jdx#7985) ### 📦️ Dependency Updates - update bytes to 1.11.1 to fix RUSTSEC-2026-0007 by @jdx in [jdx#7986](jdx#7986) ### 📦 Registry - add mermaid-ascii by @TyceHerrman in [jdx#7984](jdx#7984) - add godot ([aqua:godotengine/godot](https://github.com/godotengine/godot)) by @dmarcoux in [jdx#7989](jdx#7989) - add julia (http:julia) by @quinnj in [jdx#7990](jdx#7990) ### New Contributors - @quinnj made their first contribution in [jdx#7990](jdx#7990) - @dmarcoux made their first contribution in [jdx#7989](jdx#7989) ## 📦 Aqua Registry Updates #### New Packages (2) - [`chainloop-dev/chainloop`](https://github.com/chainloop-dev/chainloop) - [`redhat.com/openshift-install`](https://github.com/redhat.com/openshift-install)
Summary
bytescrate from 1.11.0 to 1.11.1BytesMut::reserve(RUSTSEC-2026-0007)Test plan
cargo deny checkpasses🤖 Generated with Claude Code
Note
Medium Risk
Updates a foundational Rust dependency (
bytes), which can have broad impact on buffer/memory behavior even as a patch release. Change is low in scope but could surface subtle runtime or compatibility regressions in consumers.Overview
Updates the
bytescrate inCargo.lockfrom1.11.0to1.11.1(refreshing the associated checksum) to pick up the latest fixes.Removes the
RUSTSEC-2026-0002advisory ignore entry fromdeny.toml, tighteningcargo denyadvisory enforcement.Written by Cursor Bugbot for commit 009fbb5. This will update automatically on new commits. Configure here.