fix(deps): resolve rust dependabot advisories (openssl, libyml)#1742
Merged
Conversation
Resolves the open dependabot advisories on the rust-openssl crate (GHSA-xp3w-r5p5-63rr, GHSA-pqf5-4pqq-29f5, GHSA-8c75-8mhr-p7r9, GHSA-ghm9-cr32-g9qj, GHSA-hppc-g8h3-xhp3). openssl is pulled transitively via native-tls/reqwest.
libyml (GHSA-gfxp-f68g-8x78) has no patched version; it is unmaintained and flagged as unsound. It was pulled only through serde_yml, which in this repo was dead code: a single unused error variant SerdeYml(#[from] serde_yml::Error) in vite_error with no YAML parsing anywhere. Remove the variant and the serde_yml dependency, which drops serde_yml and libyml from the tree entirely.
✅ Deploy Preview for viteplus-preview canceled.
|
fengmk2
added a commit
that referenced
this pull request
Jun 2, 2026
The openssl bump and the serde_yml/libyml removal now live in their own PR (#1742); revert them here so this PR carries only the npm override fixes for the pnpm-lock manifests.
fengmk2
added
test: e2e
Member
Author
|
@cursor review |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit f1ddea6. Configure here.
Boshen
approved these changes
Jun 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves the open Rust Dependabot advisories in
Cargo.lock, as two independent commits.openssl 0.10.80
Bumps the transitive
rust-opensslcrate (pulled vianative-tls/reqwest), resolving:Lockfile-only change:
openssl0.10.76 to 0.10.80,openssl-sys0.9.112 to 0.9.116.Drop serde_yml to remove unmaintained libyml
libyml(GHSA-gfxp-f68g-8x78) has no patched version; it is unmaintained and flagged as unsound. It reached the tree only throughserde_yml, which here was dead code: a single unused error variantSerdeYml(#[from] serde_yml::Error)invite_error, with no YAML parsing anywhere in the workspace. Removing the variant and theserde_ymldependency drops bothserde_ymlandlibymlfrom the tree.Validation
cargo check --workspace --lockedcompiles.serde_ymlandlibymlno longer appear inCargo.lock;opensslis 0.10.80.Note
Low Risk
Dependency-only changes with no runtime logic changes; removing an unused error variant is unlikely to affect behavior.
Overview
Addresses Dependabot Rust advisories with lockfile OpenSSL upgrades and removal of unused YAML crates.
OpenSSL:
Cargo.lockbumps transitiveopenssl(0.10.76 → 0.10.80) andopenssl-sys(0.9.112 → 0.9.116), including dropping theonce_celldependency on theopensslcrate entry—typical of the patched release pulled in viareqwest/ native TLS.libyml / serde_yml: Removes workspace
serde_ymland thevite_errordependency, plus the unusedSerdeYmlthiserrorvariant. That prunesserde_ymland unmaintainedlibymlfrom the dependency tree; YAML elsewhere still usesserde_yamlin the workspace.Reviewed by Cursor Bugbot for commit f1ddea6. Configure here.