Skip to content

fix: RUSTSEC-2026-0194#518

Merged
emlautarom1 merged 1 commit into
mainfrom
feat/fix-rustsec0194
Jul 3, 2026
Merged

fix: RUSTSEC-2026-0194#518
emlautarom1 merged 1 commit into
mainfrom
feat/fix-rustsec0194

Conversation

@iamquang95

Copy link
Copy Markdown
Collaborator

Two dependency-only changes in the workspace root Cargo.toml:

  • quick-xml 0.39 → 0.41 — fixes RUSTSEC-2026-0194 (quadratic-runtime DoS). Used in one place (speedtest.rs, quick_xml::de::from_reader); serialize still exists in 0.41, so no code change.
  • libp2p: "full" → explicit feature list — fixes RUSTSEC-2026-0097 (rand 0.7.3 unsound). rand 0.7.3 was pulled only by cuckoofilter ← libp2p-floodsub, enabled solely by libp2p's catch-all "full". Pluto wires no floodsub/pubsub, so "full" is replaced with the exact features the transport/behaviour builders use (derived from crates/p2p/src/p2p.rs), plus macros, secp256k1, and mdns (qbft example). This deletes the dependency at the root instead of suppressing the advisory.

@iamquang95 iamquang95 requested review from emlautarom1 and varex83 July 3, 2026 11:09
@emlautarom1 emlautarom1 merged commit 40ac2df into main Jul 3, 2026
14 checks passed
@emlautarom1 emlautarom1 deleted the feat/fix-rustsec0194 branch July 3, 2026 17:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants