- Update rustls-webpki 0.103.10 → 0.103.13 (fixes RUSTSEC-2026-0098,
RUSTSEC-2026-0099, RUSTSEC-2026-0104)
- Update mongodb 3.5.1 → 3.6.0 (latest compatible 3.x)
- Add .cargo/audit.toml ignoring two hickory-proto advisories that cannot
be fixed: mongodb 3.x pins hickory-resolver 0.25.x which pins
hickory-proto 0.25.x; RUSTSEC-2026-0118 has no upstream fix at all,
RUSTSEC-2026-0119 requires hickory-proto >=0.26.1 which mongodb does
not yet support. Both are DNS-layer DoS vectors requiring control of
the DNS server responding to MongoDB's hostname resolution.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Semgrep was running unbounded with --config=auto (downloads all rules) and no memory cap,
making it likely to get OOM-killed in resource-constrained Orca containers. Syft had remote
license lookups enabled which adds network calls and memory overhead. Neither had timeouts,
so a hung process would stall the entire scan indefinitely and silently produce 0 results.
- semgrep: add --max-memory 500 --jobs 1 and a 10-minute timeout
- syft: remove remote license lookup env vars, add 5-minute timeout
- gitleaks: add 5-minute timeout
- dashboard: fix Script dangerous_inner_html -> text child (Dioxus 0.7 Script element
requires a single text node child, not dangerous_inner_html — was spamming error logs)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sharang Parnerkar