hardening: audit remediation — hostile-input bounds, model_hash gate, dependency advisories, CI gates#60
Merged
Conversation
….9.11 pyo3 0.29.0 fixes GHSA-36hh-v3qg-5jq4 (OOB read in PyList/PyTuple iterator nth/nth_back) and GHSA-chgr-c6px-7xpp (missing Sync bound on PyCFunction::new_closure), closing all four open Dependabot alerts. anyhow 1.0.103 (RUSTSEC-2026-0190) and memmap2 0.9.11 (RUSTSEC-2026-0186) are patch bumps surfaced by an OSV sweep of the full lockfile. None of the affected APIs are used in this workspace; the bumps are hygiene so cargo-audit can gate merges.
The advisory backlog is cleared, so cargo-audit now fails CI on any new advisory against the committed lockfile. dependabot.yml (removed in #51) is restored with weekly cargo + github-actions updates, grouped to keep PR noise low; pip stays out because pyproject.toml only declares >= floors in a PEP 735 group.
b0d89f3 to
4cf6bd5
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #59: clears the dependency-advisory backlog and turns on the guardrails that keep it clear. Two commits, rebased onto main after #59's squash-merge.
1. Dependency advisories (
deps:)PyList/PyTupleiteratornth/nth_back), GHSA-chgr-c6px-7xpp (missingSyncbound onPyCFunction::new_closure) — closes all 4 open Dependabot alertsdowncast_mutaftercontext)advise_range/flush_range)Exposure assessment: none of the vulnerable call patterns exist in this workspace — the only
PyListiteration is anext()-based for-loop (build_inputs.rs),PyCFunction/new_closureis never used, and neitherdowncast_mut-after-contextnoradvise_range/flush_rangeappear anywhere. The bumps are hygiene, and they clear the tree so cargo-audit can gate merges. The anyhow/memmap2 advisories came from an OSV batch query over the full lockfile — Dependabot has not alerted on those two yet.Migration notes: pyo3 0.29 MSRV is 1.83 (project MSRV is 1.85);
abi3-py312unchanged; zero source changes required.2. CI gate + dependabot (
ci:)cargo-auditflips fromcontinue-on-error(advisory) to blocking, per the note left in the workflow — the backlog is now clear..github/dependabot.ymlrestored (removed in Delete .github/dependabot.yml #51): weeklycargo+github-actions, patch/minor grouped into single PRs to keep noise low.pipintentionally omitted —pyproject.tomlonly declares>=floors in a PEP 735 dependency group, so version updates would have nothing to bump.Validation
cargo fmt --check,cargo clippy --workspace --all-targets --locked -- -D warnings,cargo test --workspace --locked: green locally on the rebased branch (includes the gate the aarch64 neon f16 intrinsics behind a rustc 1.94+ probe (restore msrv 1.85) #58 NEON f16 probe path on an arm64 host).Follow-up (needs repo admin)
Enable Dependabot security updates in Settings → Advanced Security so future alerts open PRs automatically (the API rejects non-admin accounts).