a789495a98
FreeBSD Smoke / FreeBSD Smoke (x86_64) (push) Has been cancelled
CI / Quality Guardrails (push) Has been cancelled
CI / Build & Test (macos-latest) (push) Has been cancelled
CI / Build & Test (ubuntu-latest) (push) Has been cancelled
CI / Build & Test (windows-latest) (push) Has been cancelled
CI / Format (push) Has been cancelled
CI / PowerShell Syntax (push) Has been cancelled
CI / Windows Cross-Target Check (Linux) (push) Has been cancelled
5.5 KiB
5.5 KiB
Dependency Security Triage
Last reviewed: 2026-05-14
This file tracks the current cargo audit findings for jcode and the intended remediation path.
It is not an allowlist. It is a triage record so advisories are visible and actionable.
Current advisories
| Advisory | Crate | Dependency path | Affected area in jcode | Triage | Planned action |
|---|---|---|---|---|---|
RUSTSEC-2025-0141 |
bincode |
syntect -> bincode |
Markdown/code highlighting in the TUI | Unmaintained transitive dependency. No direct exposure in the provider/auth flow. | Track syntect upgrades or replace syntect if upstream does not move off bincode soon. |
RUSTSEC-2024-0436 |
paste |
ratatui -> paste, tokenizers -> paste, tract-* -> paste |
TUI rendering, tokenizers, embedding/model support | Widely transitive. Not isolated to one module. | Prefer upstream dependency upgrades before any local workaround. Re-evaluate after bumping ratatui, tokenizers, and tract-*. |
RUSTSEC-2026-0002 |
lru |
ratatui -> lru |
TUI rendering/cache internals | Unsoundness warning in a UI dependency. Not in auth/provider logic, but still ships in-process. | Upgrade ratatui / ratatui-image together once compatible. |
RUSTSEC-2026-0097 |
rand |
azure_core, tungstenite, tract-*, ratatui-image, and others |
Azure auth, websocket, embedding, and UI transitive paths | Unsoundness warning involving custom loggers using rand::rng(). Jcode does not intentionally use that pattern, but the crate is broad in the graph. |
Prefer upstream upgrades to rand 0.9-compatible dependency stacks. |
RUSTSEC-2026-0141 |
lettre |
jcode-notify-email -> lettre |
Notification email sending | Vulnerability applies to the Boring TLS backend hostname verification path. Jcode's lettre dependency uses rustls/native-tls features, not boring-tls, so this is not believed exploitable in the current build. |
Keep ignored in scripts/security_preflight.sh; remove ignore after lettre ships a patched release or if feature use changes. |
RUSTSEC-2026-0098 |
rustls-webpki |
rustls dependency stack |
TLS certificate validation in rustls consumers | Name constraints for URI names incorrectly accepted. Transitive via TLS libraries. | Upgrade rustls/webpki stack when compatible releases are available. |
RUSTSEC-2026-0099 |
rustls-webpki |
rustls dependency stack |
TLS certificate validation in rustls consumers | Name constraints accepted for wildcard certificates. Transitive via TLS libraries. | Upgrade rustls/webpki stack when compatible releases are available. |
RUSTSEC-2026-0104 |
rustls-webpki |
rustls dependency stack |
TLS certificate revocation list parsing | Reachable panic in CRL parsing. Transitive via TLS libraries. | Upgrade rustls/webpki stack when compatible releases are available. |
RUSTSEC-2026-0049 |
rustls-webpki |
rustls dependency stack (aws-smithy rustls 0.21, imap/rustls-connector rustls 0.22) |
TLS certificate revocation list handling | CRLs not considered authoritative by Distribution Point due to faulty matching logic. Transitive via the older rustls stacks; fix needs rustls-webpki >=0.103.10, which requires major bumps of the aws-sdk/imap stacks. |
Upgrade rustls/webpki stack when compatible releases are available. |
RUSTSEC-2026-0187 |
lopdf |
jcode-pdf -> pdf-extract 0.8.2 -> lopdf 0.34 |
PDF text extraction (/pdf, image/PDF reads) |
Stack overflow parsing deeply nested PDF objects. Only reached when extracting text from a (potentially malicious) PDF the user opens; not in the auth/provider/network path. pdf-extract 0.8.2 pins lopdf 0.34, so it cannot be bumped to the fixed >=0.42 without an upstream pdf-extract release. |
Upgrade once pdf-extract ships a release depending on lopdf >=0.42; remove the ignore then. |
RUSTSEC-2023-0086 |
lexical-core |
imap -> imap-proto -> lexical-core |
Gmail/IMAP support path | Old unsound transitive dependency in the mail stack. Higher priority than the UI-only findings because it touches network-parsed data. | Investigate upgrading or replacing imap / imap-proto. If no maintained path exists, isolate or remove the IMAP dependency. |
Priority order
rustls-webpkiTLS advisories via rustls stacklexical-coreviaimap-protolettreif Jcode ever enablesboring-tlslruviaratatuibincodeviasyntectpaste/randvia multiple transitive dependencies
Notes
- None of the advisories above were introduced by the provider-auth refactor.
- The provider/auth hardening work should continue independently of these dependency upgrades.
RUSTSEC-2024-0320(yaml-rust) was removed from the dependency graph on 2026-03-05 by trimmingsyntectfeatures to built-in syntax/theme dumps instead of YAML loading.RUSTSEC-2026-0194/RUSTSEC-2026-0195(quick-xml0.39.2): reached only throughwayland-scanner, a build-time proc-macro in the desktop crate's winit stack. It parses trusted, vendored Wayland protocol XML during compilation and never touches untrusted input at runtime. Remediation is upstream:wayland-scannerneeds to move toquick-xml >= 0.41. Triaged and ignored inscripts/security_preflight.shon 2026-07-04.scripts/security_preflight.shignores the vulnerability advisories that are explicitly triaged above (lettreandrustls-webpki) so CI can remain actionable. New vulnerabilities still fail CI by default.- Before changing dependency versions, run:
cargo checkcargo test -j 1scripts/security_preflight.sh