Skip to content

hardening: audit remediation — hostile-input bounds, model_hash gate, dependency advisories, CI gates#60

Merged
brennercruvinel merged 2 commits into
mainfrom
hardening/audit-remediation
Jul 1, 2026
Merged

hardening: audit remediation — hostile-input bounds, model_hash gate, dependency advisories, CI gates#60
brennercruvinel merged 2 commits into
mainfrom
hardening/audit-remediation

Conversation

@han-hoff

@han-hoff han-hoff commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Follow-up to #59: clears the dependency-advisory backlog and turns on the guardrails that keep it clear. Two commits, rebased onto main after #59's squash-merge.

1. Dependency advisories (deps:)

Crate Bump Fixes
pyo3 0.28.3 → 0.29.0 GHSA-36hh-v3qg-5jq4 (high: OOB read in PyList/PyTuple iterator nth/nth_back), GHSA-chgr-c6px-7xpp (missing Sync bound on PyCFunction::new_closure) — closes all 4 open Dependabot alerts
anyhow 1.0.102 → 1.0.103 RUSTSEC-2026-0190 (unsound downcast_mut after context)
memmap2 0.9.10 → 0.9.11 RUSTSEC-2026-0186 (unchecked pointer offset in advise_range/flush_range)

Exposure assessment: none of the vulnerable call patterns exist in this workspace — the only PyList iteration is a next()-based for-loop (build_inputs.rs), PyCFunction/new_closure is never used, and neither downcast_mut-after-context nor advise_range/flush_range appear anywhere. The bumps are hygiene, and they clear the tree so cargo-audit can gate merges. The anyhow/memmap2 advisories came from an OSV batch query over the full lockfile — Dependabot has not alerted on those two yet.

Migration notes: pyo3 0.29 MSRV is 1.83 (project MSRV is 1.85); abi3-py312 unchanged; zero source changes required.

2. CI gate + dependabot (ci:)

  • cargo-audit flips from continue-on-error (advisory) to blocking, per the note left in the workflow — the backlog is now clear.
  • .github/dependabot.yml restored (removed in Delete .github/dependabot.yml #51): weekly cargo + github-actions, patch/minor grouped into single PRs to keep noise low. pip intentionally omitted — pyproject.toml only declares >= floors in a PEP 735 dependency group, so version updates would have nothing to bump.

Validation

  • cargo fmt --check, cargo clippy --workspace --all-targets --locked -- -D warnings, cargo test --workspace --locked: green locally on the rebased branch (includes the gate the aarch64 neon f16 intrinsics behind a rustc 1.94+ probe (restore msrv 1.85) #58 NEON f16 probe path on an arm64 host).
  • OSV batch query over all 111 lockfile packages after the bumps: 0 vulnerable entries.
  • The pyo3 bump was additionally trial-built and full-suite-tested in a clean worktree before landing.

Follow-up (needs repo admin)

Enable Dependabot security updates in Settings → Advanced Security so future alerts open PRs automatically (the API rejects non-admin accounts).

@han-hoff han-hoff closed this Jul 1, 2026
@han-hoff han-hoff reopened this Jul 1, 2026
han-hoff added 2 commits July 1, 2026 17:40
….9.11

pyo3 0.29.0 fixes GHSA-36hh-v3qg-5jq4 (OOB read in PyList/PyTuple
iterator nth/nth_back) and GHSA-chgr-c6px-7xpp (missing Sync bound on
PyCFunction::new_closure), closing all four open Dependabot alerts.
anyhow 1.0.103 (RUSTSEC-2026-0190) and memmap2 0.9.11
(RUSTSEC-2026-0186) are patch bumps surfaced by an OSV sweep of the
full lockfile. None of the affected APIs are used in this workspace;
the bumps are hygiene so cargo-audit can gate merges.
The advisory backlog is cleared, so cargo-audit now fails CI on any
new advisory against the committed lockfile. dependabot.yml (removed
in #51) is restored with weekly cargo + github-actions updates,
grouped to keep PR noise low; pip stays out because pyproject.toml
only declares >= floors in a PEP 735 group.
@han-hoff han-hoff force-pushed the hardening/audit-remediation branch from b0d89f3 to 4cf6bd5 Compare July 1, 2026 20:46
@brennercruvinel brennercruvinel merged commit de8b19d into main Jul 1, 2026
7 checks passed
@brennercruvinel brennercruvinel deleted the hardening/audit-remediation branch July 1, 2026 21:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants