Skip to content

fix(security): resolve Dependabot #5 (lru unsound) + Code Scanning #7 (actions expr-injection)#56

Draft
hyperpolymath wants to merge 2 commits into
mainfrom
claude/fix-security-vulnerability-RMcwt
Draft

fix(security): resolve Dependabot #5 (lru unsound) + Code Scanning #7 (actions expr-injection)#56
hyperpolymath wants to merge 2 commits into
mainfrom
claude/fix-security-vulnerability-RMcwt

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented May 11, 2026

Dependabot alert #5lru 0.12.5 unsound iterator (RUSTSEC-2026-0002 / GHSA-rhfx-m35p-ff5j)

Pulled in transitively via ratatui 0.29 → lru ^0.12. Bumped ratatui to 0.30 (which dropped its lru dependency entirely) and crossterm to 0.29 to satisfy the new lower bound. The lockfile now resolves to lru 0.16.4 (≥ patched 0.16.3) via an unrelated transitive path. coord-tui's ratatui API surface is unchanged in 0.30; release build is green and cargo audit reports 0 vulns / 0 warnings.

Confirmed by the post-push remote notice: the default branch reports "1 vulnerability (1 low)" pointing at alert #5 — matches the unsound-tier lru advisory.

Code Scanning alert #7 — best-guess: actions/expression-injection in instant-sync.yml

⚠️ Note: I couldn't read alert #7 directly — the GitHub MCP server available to me doesn't expose the code-scanning alerts endpoint, and WebFetch 404s on the unauthenticated URL. The user opted into a broad scan rather than pasting the alert.

The only ${{ github.event.* }} value interpolated directly into a run: shell line in this repo is github.event.repository.name at instant-sync.yml:33 — the canonical CodeQL actions/expression-injection sink. Fixed by:

  • Confirm step: bind to env: REPO_NAME and reference $REPO_NAME from the shell (documented mitigation).
  • Trigger Propagation client-payload: wrap each interpolation in toJSON(...) so the JSON template remains well-formed even if a value contains " / \n.

If alert #7 was actually pointing somewhere else, please drop the rule ID / file:line into a review comment and I'll redirect the fix.

Test plan

Generated by Claude Code

claude added 2 commits May 11, 2026 14:36
@claude
fix(deps): bump ratatui 0.29 -> 0.30 to drop vulnerable lru transitive
f54040f 
ratatui 0.29 pulled in lru 0.12.5, which is affected by
RUSTSEC-2026-0002 / GHSA-rhfx-m35p-ff5j (IterMut soundness / stacked
borrows). ratatui 0.30 dropped its lru dependency entirely; the new
lock resolves to lru 0.16.4 (>= patched 0.16.3) via an unrelated path.
crossterm bumped to 0.29 to satisfy ratatui 0.30's lower bound;
coord-tui's ratatui import surface (backend, layout, style, text,
widgets, Frame, Terminal) is unchanged in 0.30 and the binary builds
clean. cargo audit reports 0 vulns / 0 warnings post-bump.

Resolves Dependabot alert #5.
@claude
fix(actions): close expression-injection sink in instant-sync workflow
92a4f98 
CodeQL's actions/expression-injection rule flags `${{ github.event.* }}`
interpolated directly into a `run:` shell line, because in principle a
repository renamed to contain shell metacharacters could break out into
the host runner. The `Confirm` step did exactly that with
`github.event.repository.name`.

Two changes:
* `Confirm` step: bind the repo name into an `env:` block and reference
  `$REPO_NAME` from the shell, which is the documented mitigation.
* `Trigger Propagation` client-payload: wrap each interpolated value in
  `toJSON(...)` so the JSON template stays well-formed (and quoted)
  even if the underlying string contains `"`/`\n`.

Best-guess fix for Code Scanning alert #7 — the only direct
`${{ github.event.* }}` -> `run:` interpolation in this repo's
workflows.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hyperpolymath @claude