Skip to content

chore(deps): update rustls-webpki to 0.103.12#9996

Merged
siketyan merged 1 commit intomainfrom
chore/update-rustls-webpki
Apr 15, 2026
Merged

chore(deps): update rustls-webpki to 0.103.12#9996
siketyan merged 1 commit intomainfrom
chore/update-rustls-webpki

Conversation

@siketyan
Copy link
Copy Markdown
Member

@siketyan siketyan commented Apr 15, 2026
edited
Loading

Summary

Resolves the following audit error:

error[vulnerability]: Name constraints for URI names were incorrectly accepted
    ┌─ /home/runner/work/biome/biome/Cargo.lock:399:1
    │
399 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2026-0098
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0098
    ├ Name constraints for URI names were ignored and therefore accepted.
      
      Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.  URI name constraints are now rejected unconditionally.
      
      Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
      
      This vulnerability is identified as [GHSA-965h-392x-2mh5](https://github.com/rustls/webpki/security/advisories/GHSA-965h-392x-2mh5). Thank you to @1seal for the report.
    ├ Solution: Upgrade to >=0.103.12, <0.104.0-alpha.1 OR >=0.104.0-alpha.6 (try `cargo update -p rustls-webpki`)

ref: https://rustsec.org/advisories/RUSTSEC-2026-0098
ref: GHSA-965h-392x-2mh5 (not yet available)

Test Plan

N/A

Docs

N/A

@siketyan siketyan self-assigned this Apr 15, 2026
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Apr 15, 2026

⚠️ No Changeset found

Latest commit: 29419ae

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@codspeed-hq
Copy link
Copy Markdown

codspeed-hq Bot commented Apr 15, 2026
edited
Loading

Merging this PR will not alter performance

✅ 249 untouched benchmarks

Comparing chore/update-rustls-webpki (29419ae) with main (eabf54a)

Open in CodSpeed

@siketyan siketyan merged commit 15276a5 into main Apr 15, 2026
36 checks passed
@siketyan siketyan deleted the chore/update-rustls-webpki branch April 15, 2026 13:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@siketyan siketyan

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@siketyan