Skip to content

fix(deps): bump crossbeam-epoch to 0.9.20 (RUSTSEC-2026-0204)#359

Merged
kingchenc merged 1 commit into
mainfrom
fix/rustsec-2026-0204-crossbeam
Jul 8, 2026
Merged

fix(deps): bump crossbeam-epoch to 0.9.20 (RUSTSEC-2026-0204)#359
kingchenc merged 1 commit into
mainfrom
fix/rustsec-2026-0204-crossbeam

Conversation

@kingchenc

Copy link
Copy Markdown
Collaborator

cargo-deny started failing on RUSTSEC-2026-0204 — an invalid pointer dereference in crossbeam-epoch's fmt::Pointer impl for Atomic/Shared, reaching us transitively through crossbeam-deque. The advisory was published after the last green run, so it reddens the supply-chain check on every PR (and the next main push) org-wide, not just here.

Official fix: upgrade to >=0.9.20. This is a lock-only patch bump (cargo update -p crossbeam-epoch, 0.9.18 -> 0.9.20) — no Cargo.toml or code change. Restores cargo-deny (advisories) to green.

RustSec published RUSTSEC-2026-0204: an invalid pointer dereference in the
fmt::Pointer impl for crossbeam-epoch's Atomic and Shared when the underlying
pointer is invalid. It reaches us transitively via crossbeam-deque. The fix is
a lock-only patch bump to the already-compatible 0.9.20 (no Cargo.toml or code
change). cargo-deny's advisories check now passes.
@codecov

codecov Bot commented Jul 8, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@kingchenc kingchenc merged commit 7d4ca8c into main Jul 8, 2026
55 of 56 checks passed
@kingchenc kingchenc deleted the fix/rustsec-2026-0204-crossbeam branch July 8, 2026 16:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant