Skip to content

fix(deps): bump quinn-proto to 0.11.15 (RUSTSEC-2026-0185)#141

Merged
jacderida merged 1 commit into
WithAutonomi:mainfrom
Nic-dorman:nic/quinn-proto-rustsec-2026-0185
Jul 7, 2026
Merged

fix(deps): bump quinn-proto to 0.11.15 (RUSTSEC-2026-0185)#141
jacderida merged 1 commit into
WithAutonomi:mainfrom
Nic-dorman:nic/quinn-proto-rustsec-2026-0185

Conversation

@Nic-dorman

Copy link
Copy Markdown
Contributor

Summary

Bump quinn-proto 0.11.14 → 0.11.15 in the committed lockfile to clear RUSTSEC-2026-0185 (remote memory exhaustion via unbounded out-of-order stream reassembly).

Details

  • Reaches this workspace transitively: saorsa-transport → quinn → quinn-proto, all over caret ranges — so 0.11.15 resolves with no Cargo.toml change, lockfile-only.
  • Advisory: affected < 0.11.15, patched >= 0.11.15.
  • Keeps cargo audit green and keeps any binaries built from this repo off the vulnerable version.

Lockfile-only; no code or API impact.

quinn-proto <0.11.15 is vulnerable to remote memory exhaustion via
unbounded out-of-order stream reassembly (RUSTSEC-2026-0185). It reaches
this workspace transitively through saorsa-transport -> quinn ->
quinn-proto over a caret range, so the patched 0.11.15 resolves in the
committed lockfile with no Cargo.toml constraint change.

Keeps `cargo audit` green and any distributed binaries off the
vulnerable version.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jacderida jacderida merged commit e77bccf into WithAutonomi:main Jul 7, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants