Skip to content

docs(security): triage RUSTSEC-2026-0190 (anyhow < 1.0.103 downcast_mut unsoundness)#27

Merged
fastrevmd-lab merged 1 commit into
mainfrom
chore/anyhow-rustsec-2026-0190
Jul 2, 2026
Merged

docs(security): triage RUSTSEC-2026-0190 (anyhow < 1.0.103 downcast_mut unsoundness)#27
fastrevmd-lab merged 1 commit into
mainfrom
chore/anyhow-rustsec-2026-0190

Conversation

@fastrevmd-lab

Copy link
Copy Markdown
Owner

Closes #26.

Summary

cargo audit flagged RUSTSEC-2026-0190 — unsoundness in anyhow::Error::downcast_mut() (safe-code-triggerable Stacked-Borrows violation; affected < 1.0.103, patched 1.0.103). Our local lock had anyhow 1.0.102.

Triage

anyhow is not a direct dep of any workspace crate. It enters only via a target-gated wasm chain — getrandom 0.4.2 → wasip3 → wit-bindgen → … → anyhow — that resolves solely for wasm32-wasip3. cargo tree -i anyhow (even --target all) reports "nothing to print" on real hosts. rustEZ is a tokio Junos automation library, never built for wasm, so the unsound path is unreachable in practice.

Fix

Cargo.lock is gitignored in this repo, so nothing is pinned and there's no tracked lockfile to change. CI regenerates the lock on each run and now auto-resolves the patched anyhow 1.0.103. Local cargo update -p anyhow --precise 1.0.103 refreshes dev/audit runs to match. No crate version bump, no republish (library ignores lock downstream; rustez-cli unpublished).

This PR commits the triage/analysis dump only.

Verification

  • cargo audit → RUSTSEC-2026-0190 occurrences: 0 (only residual is the pre-existing allowed yanked-aes 0.9.0 warning)
  • cargo check --workspace clean · cargo test -p rustez → 52 passed

🤖 Generated with Claude Code

https://claude.ai/code/session_01CALA6Gum4MdPTeEPf6vant

…ness)

anyhow 1.0.102 flagged by cargo audit. It is a phantom transitive dep
reachable only via the wasm32-wasip3 chain (getrandom 0.4.2 -> wasip3 ->
wit-bindgen -> anyhow); cargo tree cannot reach it on any real target, so
the unsound Error::downcast_mut path is unreachable in rustEZ builds.

Cargo.lock is gitignored here, so nothing is pinned and CI's fresh resolve
now picks the patched anyhow 1.0.103 automatically. Local `cargo update -p
anyhow --precise 1.0.103` refreshes dev/audit runs to match. Records the
triage + fix rationale.

Refs #26.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01CALA6Gum4MdPTeEPf6vant
@fastrevmd-lab fastrevmd-lab merged commit 6986c76 into main Jul 2, 2026
1 check passed
@fastrevmd-lab fastrevmd-lab deleted the chore/anyhow-rustsec-2026-0190 branch July 2, 2026 15:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

security: cargo audit RUSTSEC-2026-0190 — anyhow < 1.0.103 Error::downcast_mut unsoundness

1 participant