fix(audit): bump quinn-proto + ignore rmcp DNS-rebinding advisory #97
Reference in New Issue
Block a user
Delete Branch "fix/audit-quinn-rmcp-ignore"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Two new RUSTSEC advisories landed between 2026-06-18 (last green CI run on M7.3 branches) and 2026-06-30 that started failing every PR's
cargo auditstep. This PR unblocks the M7.3 merge train (#96, #94).Changes
quinn-proto 0.11.14→0.11.15viacargo update -p quinn-proto. Patch release, no API change.rmcp 0.16.0DNS rebinding in Streamable HTTP server transport. Patched in>= 1.4.0but that's a major API jump (rmcp shipped 0.x → 1.x → 2.x in three months). Added to.cargo/audit.tomlignore list with the threat-model justification: our MCP server is a public-hostname deployment behind orca's TLS-terminating ingress with per-tenant bearer auth (just landed in #92). Browser DNS-rebinding into a victim's localhost MCP server doesn't apply here.Follow-up
A dedicated PR will migrate
rmcp 0.16 → 2.xand remove RUSTSEC-2026-0189 from the ignore list. Sized multi-hour due to API surface change — not blocking M7.3 close.Test plan
cargo auditclean locally — noerror: N vulnerabilities found, 8 allowed warnings (unchanged)🤖 Generated with Claude Code