Skip to content

fix: update time and bytes crates for RUSTSEC-2026-0009 and RUSTSEC-2026-0007#10

Merged
AnthonyRonning merged 2 commits intomasterfrom
fix/rustsec-2026-0009-time-dos
Feb 9, 2026
Merged

fix: update time and bytes crates for RUSTSEC-2026-0009 and RUSTSEC-2026-0007#10
AnthonyRonning merged 2 commits intomasterfrom
fix/rustsec-2026-0009-time-dos

Conversation

@AnthonyRonning
Copy link
Contributor

@AnthonyRonning AnthonyRonning commented Feb 9, 2026
edited
Loading

Summary

Updates transitive dependencies to resolve two security advisories:

  • RUSTSEC-2026-0009: time 0.3.41 -> 0.3.47 -- Denial of service via stack exhaustion when parsing RFC 2822 formatted input.
  • RUSTSEC-2026-0007: bytes 1.10.1 -> 1.11.1 -- Integer overflow in BytesMut::reserve leading to out-of-bounds memory access in release builds (CVE-2026-25541).

Changes

  • Cargo.lock only -- no source code changes.

Testing

  • cargo build -- clean
  • cargo test -- all passing
  • cargo clippy -- -D warnings -- clean

Closes #9

@AnthonyRonning @factory-droid
fix: update time crate to 0.3.47 (RUSTSEC-2026-0009)
6c82fc9 
Resolves denial of service via stack exhaustion when parsing
RFC 2822 formatted input.

Closes #9

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
@coderabbitai
Copy link

coderabbitai bot commented Feb 9, 2026

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • Cargo.lock is excluded by !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/rustsec-2026-0009-time-dos

Comment @coderabbitai help to get the list of available commands and usage tips.

@AnthonyRonning @factory-droid
fix: update bytes crate to 1.11.1 (RUSTSEC-2026-0007)
8ba3d06 
Resolves integer overflow in BytesMut::reserve that can lead to
out-of-bounds memory access in release builds.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
@AnthonyRonning AnthonyRonning changed the title fix: update time crate to 0.3.47 (RUSTSEC-2026-0009) fix: update time and bytes crates for RUSTSEC-2026-0009 and RUSTSEC-2026-0007 Feb 9, 2026
devin-ai-integration[bot]
devin-ai-integration bot reviewed Feb 9, 2026
View reviewed changes
Copy link

@devin-ai-integration devin-ai-integration bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

Open in Devin Review

@AnthonyRonning AnthonyRonning merged commit a4c7136 into master Feb 9, 2026
15 checks passed
@AnthonyRonning AnthonyRonning deleted the fix/rustsec-2026-0009-time-dos branch February 9, 2026 21:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

RUSTSEC-2026-0009: Denial of Service via Stack Exhaustion

1 participant

@AnthonyRonning