You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CVEs: webpki name constraint issues (fixed in 0.103.12+)
Original root cause: AWS SDK shipped rustls 0.21 support via hyper-rustls 0.24.2 for hyper 0.14 backward compat, which pulled rustls-webpki 0.101.7.
Resolution: The AWS SDK has since dropped the rustls 0.21 compat path.
Current v3/Cargo.lock carries:
hyper-rustls 0.27.9 (was 0.24.2)
rustls-webpki 0.103.13 only (the 0.101.7 instance is no longer present)
Re-check once AWS SDK releases a version that drops hyper 0.14 / rustls 0.21 compat — done; resolved in v3 dependency tree
rand 0.8.6 (transitive only — no separate Dependabot alert) — ⏳ STILL BLOCKED
CVE: Unsoundness with custom logger using rand::rng() (affects 0.9.x / 0.10.x series; 0.8.x is a separate semver series)
Root cause: Several upstream crates still depend on rand 0.8:
Crate
Version
Status
age
0.11.3
No 0.12 release yet upgrading to rand 0.9+
tera
1.20.1
Latest 1.x still uses rand 0.8
phf_generator
0.11.3
Latest 0.11 still uses rand 0.8
The rand 0.9.x and 0.10.x instances have been updated to 0.9.4 and 0.10.1 respectively (resolving alerts #16 and #17). The 0.8.6 presence is collateral from these upstream crates.
Workaround: None. Monitor upstream for new major versions of age, tera, and/or phf.
Action needed
Re-check once age, tera, and/or phf release versions using rand 0.9+
Summary
Tracks transitive Rust dependency vulnerabilities in v3 that cannot be resolved at the project level without upstream releases.
Status (2026-05-14): The rustls-webpki / AWS SDK portion of this issue has been resolved upstream. The
rand 0.8.6portion remains tracked here.rustls-webpki 0.101.7 (Dependabot alerts #19, #20) — ✅ RESOLVED
CVEs: webpki name constraint issues (fixed in 0.103.12+)
Original root cause: AWS SDK shipped
rustls 0.21support viahyper-rustls 0.24.2forhyper 0.14backward compat, which pulledrustls-webpki 0.101.7.Resolution: The AWS SDK has since dropped the
rustls 0.21compat path.Current
v3/Cargo.lockcarries:hyper-rustls 0.27.9(was 0.24.2)rustls-webpki 0.103.13only (the 0.101.7 instance is no longer present)Re-check once AWS SDK releases a version that drops
hyper 0.14/rustls 0.21compat — done; resolved in v3 dependency treerand 0.8.6 (transitive only — no separate Dependabot alert) — ⏳ STILL BLOCKED
CVE: Unsoundness with custom logger using
rand::rng()(affects 0.9.x / 0.10.x series; 0.8.x is a separate semver series)Root cause: Several upstream crates still depend on
rand 0.8:ageteraphf_generatorThe
rand 0.9.xand0.10.xinstances have been updated to 0.9.4 and 0.10.1 respectively (resolving alerts #16 and #17). The 0.8.6 presence is collateral from these upstream crates.Workaround: None. Monitor upstream for new major versions of
age,tera, and/orphf.Action needed
age,tera, and/orphfrelease versions usingrand 0.9+Related