Skip to content

Bump deps (fixes CVEs)#342

Merged
RemiBardon merged 13 commits into
valeriansaliou:masterfrom
RemiBardon:bump-deps
May 14, 2026
Merged

Bump deps (fixes CVEs)#342
RemiBardon merged 13 commits into
valeriansaliou:masterfrom
RemiBardon:bump-deps

Conversation

@RemiBardon
Copy link
Copy Markdown
Collaborator

@RemiBardon RemiBardon commented May 14, 2026
edited
Loading

cargo audit used to say

(truncated)

error: 6 vulnerabilities found!
warning: 8 allowed warnings found

now it says

(truncated)

warning: 3 allowed warnings found
Details 
Crate:     bincode
Version:   1.3.3
Warning:   unmaintained
Title:     Bincode is unmaintained
Date:      2025-12-16
ID:        RUSTSEC-2025-0141
URL:       https://rustsec.org/advisories/RUSTSEC-2025-0141
Dependency tree:
bincode 1.3.3
├── lindera-unidic 0.31.0
│   └── lindera-dictionary 0.31.0
│       ├── sonic-server 1.4.9
│       └── lindera-tokenizer 0.31.0
│           └── sonic-server 1.4.9
├── lindera-tokenizer 0.31.0
├── lindera-dictionary-builder 0.31.0
│   ├── lindera-unidic-builder 0.31.0
│   │   ├── lindera-unidic 0.31.0
│   │   └── lindera-dictionary 0.31.0
│   ├── lindera-ko-dic-builder 0.31.0
│   │   └── lindera-dictionary 0.31.0
│   ├── lindera-ipadic-neologd-builder 0.31.0
│   │   └── lindera-dictionary 0.31.0
│   ├── lindera-ipadic-builder 0.31.0
│   │   └── lindera-dictionary 0.31.0
│   └── lindera-cc-cedict-builder 0.31.0
│       └── lindera-dictionary 0.31.0
├── lindera-dictionary 0.31.0
└── lindera-core 0.31.0
    ├── sonic-server 1.4.9
    ├── lindera-unidic-builder 0.31.0
    ├── lindera-unidic 0.31.0
    ├── lindera-tokenizer 0.31.0
    ├── lindera-ko-dic-builder 0.31.0
    ├── lindera-ipadic-neologd-builder 0.31.0
    ├── lindera-ipadic-builder 0.31.0
    ├── lindera-dictionary-builder 0.31.0
    ├── lindera-dictionary 0.31.0
    └── lindera-cc-cedict-builder 0.31.0

Crate:     encoding
Version:   0.2.33
Warning:   unmaintained
Title:     `encoding` is unmaintained
Date:      2021-12-05
ID:        RUSTSEC-2021-0153
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0153
Dependency tree:
encoding 0.2.33
├── lindera-unidic 0.31.0
│   └── lindera-dictionary 0.31.0
│       ├── sonic-server 1.4.9
│       └── lindera-tokenizer 0.31.0
│           └── sonic-server 1.4.9
└── lindera-dictionary-builder 0.31.0
    ├── lindera-unidic-builder 0.31.0
    │   ├── lindera-unidic 0.31.0
    │   └── lindera-dictionary 0.31.0
    ├── lindera-ko-dic-builder 0.31.0
    │   └── lindera-dictionary 0.31.0
    ├── lindera-ipadic-neologd-builder 0.31.0
    │   └── lindera-dictionary 0.31.0
    ├── lindera-ipadic-builder 0.31.0
    │   └── lindera-dictionary 0.31.0
    └── lindera-cc-cedict-builder 0.31.0
        └── lindera-dictionary 0.31.0

Crate:     memmap
Version:   0.6.2
Warning:   unmaintained
Title:     memmap is unmaintained
Date:      2020-12-02
ID:        RUSTSEC-2020-0077
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0077
Dependency tree:
memmap 0.6.2
└── fst 0.3.5
    ├── sonic-server 1.4.9
    ├── fst-regex 0.3.0
    │   └── sonic-server 1.4.9
    └── fst-levenshtein 0.3.0
        └── sonic-server 1.4.9

warning: 3 allowed warnings found

I tried to update fst and lindera-* but it was a bit too involved and I preferred to keep this lightweight, especially given that I’m not sure those things are covered by tests.

Shadows #331.

@RemiBardon RemiBardon mentioned this pull request May 14, 2026
Open
@RemiBardon RemiBardon self-assigned this May 14, 2026
RemiBardon added 13 commits May 14, 2026 21:47
@RemiBardon
Run cargo update to fix CVEs
c83278c 
Fixed:

- rustls-webpki: RUSTSEC-2026-0104, RUSTSEC-2026-0098, RUSTSEC-2026-0099, RUSTSEC-2026-0049
- tar: RUSTSEC-2026-0068, RUSTSEC-2026-0067
- adler: RUSTSEC-2025-0056
- rand: RUSTSEC-2026-0097
@RemiBardon
Run cargo upgrade --pinned
9bee794
@RemiBardon
Relax some dependency version requirements
966cdf7
@RemiBardon
Build and release using locked dependency versions
630ac52 
At the moment, Sonic uses library-style version requirements. However,
those requirements allow unexpected breaking changes to happen, if
dependency maintainers don’t follow strict semver rules.

To prevent unexpected CI failures, and build a more reproducible binary,
we should ensure cargo builds using locked version requirements.

P.S.: This comes from experience :')
@RemiBardon
Bump clap from 3 to 4
00a373d
@RemiBardon
Bump toml from 0.8 to 1
49317f2
@RemiBardon
Bump rand from 0.8 to 0.10
6e9577f 
See <https://rust-random.github.io/book/update-0.9.html> and
<https://rust-random.github.io/book/update-0.10.html>.
@RemiBardon
Bump twox-hash from 1 to 2
714dae4
@RemiBardon
Bump hashbrown from 0.14 to 0.17
47663c6
@RemiBardon
Bump whatlang from 0.16 to 0.18
38a2ed6 
Adds support for the Cymraeg (Welsh) language
(no stopword supported yet).
@RemiBardon
Bump jieba-rs from 0.7 to 0.9
c096f4f
@RemiBardon
Bump tikv-jemallocator from 0.4 to 0.6
e391f3a
@RemiBardon
Bump windows-sys from 0.59 to 0.61
f0195b7
@RemiBardon RemiBardon merged commit 48cdb9d into valeriansaliou:master May 14, 2026
1 check passed
@RemiBardon RemiBardon deleted the bump-deps branch May 14, 2026 19:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@RemiBardon RemiBardon

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@RemiBardon