Skip to content

chore: update anyhow and crossbeam-epoch to resolve RUSTSEC-2026-0190 and RUSTSEC-2026-0204#704

Merged
wmmc88 merged 2 commits into
microsoft:mainfrom
svasista-ms:fix-rustsec-2026-0190-anyhow
Jul 16, 2026
Merged

chore: update anyhow and crossbeam-epoch to resolve RUSTSEC-2026-0190 and RUSTSEC-2026-0204#704
wmmc88 merged 2 commits into
microsoft:mainfrom
svasista-ms:fix-rustsec-2026-0190-anyhow

Conversation

@svasista-ms

Copy link
Copy Markdown
Contributor

Bumps two dependencies - anyhow and crossbeam-epoch flagged by cargo audit to resolve open security advisories.

Resolves #696 #700

anyhow versions <1.0.103 have an unsoundness in Error::downcast_mut() (RUSTSEC-2026-0190). Bump the workspace constraint and refresh all lockfiles (workspace, examples, and test fixtures) to 1.0.103.

Fixes microsoft#696
crossbeam-epoch 0.9.18 has an invalid pointer dereference in the fmt::Pointer impl for Atomic/Shared (RUSTSEC-2026-0204). It is pulled in transitively via assert_fs (dev-dependency). Bump to 0.9.20.
Copilot AI review requested due to automatic review settings July 16, 2026 11:14
@svasista-ms svasista-ms changed the title fix(deps): update anyhow and crossbeam-epoch to resolve RUSTSEC-2026-0190 and RUSTSEC-2026-0204 fix(deps): update anyhow and crossbeam-epoch to resolve RUSTSEC-2026-0190 and RUSTSEC-2026-0204 Jul 16, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the workspace’s dependency set to address two RustSec advisories reported by cargo audit, ensuring the repository no longer resolves to vulnerable versions of anyhow and crossbeam-epoch.

Changes:

  • Bump anyhow to 1.0.103 (patched for RUSTSEC-2026-0190).
  • Bump crossbeam-epoch to 0.9.20 (patched for RUSTSEC-2026-0204) via lockfile resolution.
  • Refresh the various test/example fixture Cargo.lock files to align with the updated resolved versions.

Reviewed changes

Copilot reviewed 1 out of 17 changed files in this pull request and generated no comments.

Show a summary per file
File Description
Cargo.toml Updates workspace dependency requirement for anyhow to the patched version.
Cargo.lock Updates resolved anyhow and crossbeam-epoch versions/checksums.
tests/wdk-sys-tests/Cargo.lock Updates resolved anyhow in this fixture lockfile.
tests/umdf-driver-workspace/Cargo.lock Updates resolved anyhow in this fixture lockfile.
tests/mixed-package-kmdf-workspace/Cargo.lock Updates resolved anyhow in this fixture lockfile.
tests/customized-config-toml-workspace/Cargo.lock Updates resolved anyhow (and also refreshes bindgen) in this fixture lockfile.
tests/config-umdf/Cargo.lock Updates resolved anyhow in this fixture lockfile.
tests/config-kmdf/Cargo.lock Updates resolved anyhow in this fixture lockfile.
examples/sample-wdm-driver/Cargo.lock Updates resolved anyhow in this example lockfile.
examples/sample-umdf-driver/Cargo.lock Updates resolved anyhow in this example lockfile.
examples/sample-kmdf-driver/Cargo.lock Updates resolved anyhow in this example lockfile.
crates/cargo-wdk/tests/wdm-driver/Cargo.lock Updates resolved anyhow in this test fixture lockfile.
crates/cargo-wdk/tests/umdf-driver/Cargo.lock Updates resolved anyhow in this test fixture lockfile.
crates/cargo-wdk/tests/mixed-package-kmdf-workspace/Cargo.lock Updates resolved anyhow in this test fixture lockfile.
crates/cargo-wdk/tests/kmdf-driver/Cargo.lock Updates resolved anyhow in this test fixture lockfile.
crates/cargo-wdk/tests/kmdf-driver-with-target-override/Cargo.lock Updates resolved anyhow in this test fixture lockfile.
crates/cargo-wdk/tests/emulated-workspace/umdf-driver-workspace/Cargo.lock Updates resolved anyhow in this test fixture lockfile.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@codecov-commenter

codecov-commenter commented Jul 16, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.93%. Comparing base (21ec8f8) to head (b122510).

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #704   +/-   ##
=======================================
  Coverage   79.93%   79.93%           
=======================================
  Files          26       26           
  Lines        5633     5633           
  Branches     5633     5633           
=======================================
  Hits         4503     4503           
  Misses       1002     1002           
  Partials      128      128           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@wmmc88 wmmc88 changed the title fix(deps): update anyhow and crossbeam-epoch to resolve RUSTSEC-2026-0190 and RUSTSEC-2026-0204 chore(deps): update anyhow and crossbeam-epoch to resolve RUSTSEC-2026-0190 and RUSTSEC-2026-0204 Jul 16, 2026
@wmmc88 wmmc88 changed the title chore(deps): update anyhow and crossbeam-epoch to resolve RUSTSEC-2026-0190 and RUSTSEC-2026-0204 chore: update anyhow and crossbeam-epoch to resolve RUSTSEC-2026-0190 and RUSTSEC-2026-0204 Jul 16, 2026
@wmmc88
wmmc88 added this pull request to the merge queue Jul 16, 2026
@github-merge-queue
github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jul 16, 2026
@wmmc88
wmmc88 added this pull request to the merge queue Jul 16, 2026
Merged via the queue into microsoft:main with commit a96fd81 Jul 16, 2026
229 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

RUSTSEC-2026-0190: Unsoundness in Error::downcast_mut()

5 participants