Skip to content

build: bump russh 0.61.1 + tar 0.4.46 to clear all 7 Dependabot alerts#11

Merged
kipavy merged 2 commits into
devfrom
chore/russh-0.61-security
Jun 4, 2026
Merged

build: bump russh 0.61.1 + tar 0.4.46 to clear all 7 Dependabot alerts#11
kipavy merged 2 commits into
devfrom
chore/russh-0.61-security

Conversation

@kipavy
Copy link
Copy Markdown
Contributor

@kipavy kipavy commented Jun 4, 2026

Summary

Resolves all 7 open Dependabot alerts (4 high, 3 moderate) flagged on the default branch. The 7 alerts collapse to 3 distinct advisories (each russh advisory was filed twice — once against Cargo.lock, once against src-tauri/Cargo.toml).

Advisory Severity Crate Fix
GHSA-wwx6-x28x-8259 High russh unbounded post-decompression SSH packet size → russh 0.61.1
GHSA-g9f8-wqj9-fjw5 High russh / russh-cryptovec unchecked CryptoVec allocation/growth → cryptovec 0.61.0
GHSA-hpv4-5h6f-wqr3 Moderate russh userauth state not reset on principal change → russh 0.61.0
GHSA-3pv8-6f4r-ffg2 Moderate tar PAX header desynchronization → tar 0.4.46

Changes

  • russh 0.60.2 → 0.61.1, russh-cryptovec 0.59.0 → 0.61.0, russh-sftp 2.1 → 2.3 (src-tauri/Cargo.toml + lockfile)
  • tar 0.4.45 → 0.4.46 (transitive via tauri-plugin-updater, lockfile-only)
  • Pinned primefield to 0.14.0-rc.9 in the lockfile to match the p256/p384/p521 rc.9 that russh's ssh-key 0.7 RC pulls in — cargo otherwise greedily resolved the incompatible rc.10, breaking the crypto crates' build.

Notes

  • No source changes were required — russh 0.61 stayed API-compatible for everything Voltius uses (21 russh-touching files).
  • ⚠️ A future unguarded cargo update could re-bump primefield past rc.9 and reintroduce the build break, until those pre-release crates stabilize.

Verification

  • cargo build
  • cargo clippy --all-targets ✅ (clean)
  • cargo test ✅ (62 passed)
  • ⏳ Recommend a manual SSH + SFTP smoke test against a live host before merge — automated tests don't exercise live transport.

kipavy added 2 commits June 4, 2026 19:50
@kipavy
build: bump tar 0.4.45 -> 0.4.46 to fix GHSA-3pv8-6f4r-ffg2
c19abd6 
Patches the tar PAX header desynchronization advisory (moderate).
Transitive dep via tauri-plugin-updater; lockfile-only, in-range bump.
@kipavy
build: bump russh 0.60 -> 0.61.1 to fix 3 SSH advisories
3f42afe 
Upgrades russh 0.60.2 -> 0.61.1, russh-cryptovec 0.59 -> 0.61.0, and
russh-sftp 2.1 -> 2.3. Clears:
  - GHSA-wwx6-x28x-8259 (high)  unbounded post-decompression packet size
  - GHSA-g9f8-wqj9-fjw5 (high)  unchecked CryptoVec allocation/growth
  - GHSA-hpv4-5h6f-wqr3 (med)   userauth state not reset on principal change

Pinned primefield to 0.14.0-rc.9 to match p256/p384/p521 rc.9, which
russh's ssh-key 0.7 RC pulls in; cargo otherwise greedily resolved the
incompatible rc.10. No source changes needed; build, clippy, and tests
all pass.
@kipavy kipavy merged commit df341a0 into dev Jun 4, 2026
1 check passed
@kipavy kipavy deleted the chore/russh-0.61-security branch June 4, 2026 18:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kipavy