Skip to content

chore: bump deps to resolve OSV vulnerabilities#142

Open
SVilgelm wants to merge 1 commit intorust-mcp-stack:mainfrom
SVilgelm:chore/bump-deps-osv-fixes
Open

chore: bump deps to resolve OSV vulnerabilities#142
SVilgelm wants to merge 1 commit intorust-mcp-stack:mainfrom
SVilgelm:chore/bump-deps-osv-fixes

Conversation

@SVilgelm
Copy link
Copy Markdown

@SVilgelm SVilgelm commented May 5, 2026
edited
Loading

Reduce known vulnerabilities from 17 to 1:

  • cargo update: openssl 0.10.78, aws-lc-sys 0.40.0, rustls-webpki 0.103.13, rustls 0.23.40, rand 0.8.6 / 0.9.4
  • axum-server 0.7 → 0.8 (drops vulnerable rustls-pemfile@2.2.0); add SocketAddr generic to Handle usages
  • wiremock 0.5 → 0.6 (drops vulnerable instant@0.1.13 and rand@0.7.3); migrate test_streamable_http_client to http-crate types

Residual: rsa@0.9.10 (RUSTSEC-2023-0071) via oauth2-test-server, a dev-dependency only with no upstream fix.

Fixes: #140

@SVilgelm
chore: bump deps to resolve OSV vulnerabilities
64c8673 
Reduce known vulnerabilities from 17 to 1:
- cargo update: openssl 0.10.78, aws-lc-sys 0.40.0, rustls-webpki 0.103.13,
  rustls 0.23.40, rand 0.8.6 / 0.9.4
- axum-server 0.7 -> 0.8 (drops vulnerable rustls-pemfile@2.2.0); add
  SocketAddr generic to Handle usages
- wiremock 0.5 -> 0.6 (drops vulnerable instant@0.1.13 and rand@0.7.3);
  migrate test_streamable_http_client to http-crate types

Residual: rsa@0.9.10 (RUSTSEC-2023-0071) via oauth2-test-server, a
dev-dependency only with no upstream fix.

Assisted-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 5, 2026 20:30
Copilot AI reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates workspace dependencies (notably TLS/HTTP stack and test tooling) to reduce known OSV-reported vulnerabilities, including upgrading axum-server and wiremock, and refreshing Cargo.lock accordingly.

Changes:

  • Bump axum-server from 0.7 to 0.8 and update server handle types to the new generic Handle<SocketAddr> API.
  • Bump wiremock from 0.5 to 0.6 and adjust the streamable HTTP client integration test to use http-crate header/method types.
  • Refresh Cargo.lock via dependency updates to pull patched transitive versions (e.g., rustls, openssl, aws-lc-sys, rand).

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated no comments.

Show a summary per file
File Description
crates/rust-mcp-transport/Cargo.toml Updates dev-dependency wiremock to 0.6 to remove vulnerable transitive deps in test tooling.
crates/rust-mcp-sdk/tests/test_streamable_http_client.rs Migrates test assertions to wiremock 0.6 request/header/method APIs.
crates/rust-mcp-sdk/src/hyper_servers/server.rs Adapts HyperServer to axum-server 0.8 by using Handle<SocketAddr> and updating signatures accordingly.
crates/rust-mcp-sdk/src/hyper_servers/hyper_runtime.rs Updates runtime struct field type for the new axum-server handle generic.
crates/rust-mcp-sdk/Cargo.toml Bumps axum-server to 0.8 and wiremock to 0.6 for the SDK crate.
Cargo.toml Bumps workspace axum-server to 0.8 so workspace crates share the updated server implementation.
Cargo.lock Large lockfile refresh reflecting patched dependency graph after cargo update and version bumps.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OSV Scan Report (security issues)

2 participants

@SVilgelm