fix(rust): bump aws-lc-rs to 1.16.2 to patch aws-lc-sys CVE (Dependabot #501)

[Copilot]

aws-lc-sys >= 0.32.0, < 0.39.0 is vulnerable to X.509 Name Constraints Bypass via Wildcard/Unicode CN (CVSS 8.2). Dependabot couldn't auto-resolve because the transitive parent aws-lc-rs 1.16.1 capped aws-lc-sys at 0.38.0.

Changes

• rust/Cargo.lock — cargo update -p aws-lc-rs bumps the chain:
  • aws-lc-rs: 1.16.1 → 1.16.2
  • aws-lc-sys: 0.38.0 → 0.39.1 (patched)

Dependency path: echo crate → axum-server[tls-rustls] → rustls → aws-lc-rs → aws-lc-sys

No Cargo.toml changes required; existing semver constraints already admitted 1.16.2.

Original prompt

Problem

Dependabot alert #501 (https://github.com/envoyproxy/toolshed/security/dependabot/501) flags aws-lc-sys (Rust) in rust/Cargo.lock as vulnerable to AWS-LC X.509 Name Constraints Bypass via Wildcard/Unicode CN (severity: High 8.2/10).

• Package: aws-lc-sys (Rust)
• Affected versions: >= 0.32.0, < 0.39.0
• Patched version: 0.39.0
• File: rust/Cargo.lock

Dependabot says "Dependabot cannot update to the required version" — "One or more other dependencies require a version that is incompatible with this update." This means some crate(s) in the dependency tree have version constraints that cap aws-lc-sys below 0.39.0.

Fix Required

1. Investigate rust/Cargo.toml (and any workspace member Cargo.toml files) to find which crates transitively depend on aws-lc-sys. The likely culprits are crates like aws-lc-rs, rustls, tokio-rustls, reqwest, or similar TLS/crypto crates.
2. Update those parent crates to versions that allow aws-lc-sys >= 0.39.0.
3. Regenerate rust/Cargo.lock (by running cargo update or cargo generate-lockfile in the rust/ directory) so that aws-lc-sys resolves to >= 0.39.0.
4. Verify that the lockfile no longer contains any aws-lc-sys version in the vulnerable range >= 0.32.0, < 0.39.0.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: not sure why dependabot isnt resolving this - but it needs to be fixed

Assistant: Unfortunately, I'm unable to directly access the Dependabot security alert #345 at https://github.com/envoyproxy/toolshed/security/dependabot/345 — Dependabot security alerts are not publicly accessible via API and require repository collaborator/admin access to view details.

However, I can see that Dependabot is actively creating PRs in the repo. Here are the current open Dependabot PRs that may be related to the alert you're looking at:

data:
- url: "https://github.com/envoyproxy/toolshed/pull/3942"
  repository: "envoyproxy/toolshed"
  state: "open"
  draft: false
  title: "build(deps): bump the dependencies group across 9 directories with 2 updates"
  number: 3942
  created_at: "2026-04-01T00:00:00Z"
  closed_at: ""
  merged_at: ""
  labels:
  - "dependencies"
  - "javascript"
  author: "dependabot[bot]"
  comments: 1
  assignees_avatar_urls: []
- url: "https://github.com/envoyproxy/toolshed/pull/3941"
  repository: "envoyproxy/toolshed"
  state: "open"
  draft: false
  title: "build(deps): bump the dependencies group across 44 directories with 1 update"
  number: 3941
  created_at: "2026-04-01T00:00:00Z"
  closed_at: ""
  merged_at: ""
  labels:
  - "dependencies"
  - "github_actions"
  author: "dependabot[bot]"
  comments: 1
  assignees_avatar_urls: []

Why Dependabot might not be auto-resolving alert #345:

There are several common reasons a Dependabot alert stays open even when PRs exist:

1. The vulnerable dependency is a transitive/indirect dependency — Dependabot can only update direct dependencies. If the vulnerability is in a transitive dep, it can't create a PR to fix it directly.

2. Version constraints prevent the update — If package.json (or equivalent) pins a range that doesn't include the fixed version, Dependabot may be unable to generate a compatible update.

3. The alert is for a different ecosystem than what Dependabot version updates are configured for (e.g., the alert might be for a pip/cargo/npm lockfile dep not covered by the dependabot.yml grouping).

4. Dependabot's open PR limit has been reached — By default, Dependabot limits itself to 5 open security PRs. With multiple large grouped PRs already open, it may be queued.

To fix this manually, you'd need to:

• Go to the Dependabot alert #345 to see which package/version is affected
• Check if any of the open PRs above already address it (the TypeScript 5.9.3 → 6.0.2 updates in PRs build(deps): bump the dependencies group across 9 directories with 2 updates #3942 and chore(deps): update dependency typescript to v6 #3887 are the most prominent updates right now)
• If it's a transitive dependency, you may need to manually update the lockfile or override the dependency

Would you like me to create a PR to fix a specific vulnerable dependency, or would you like me to investigate the repo's dependabot.yml configuration to understand why certain alerts might not be getting resolved?

User: yeah fix it

Assistant:

Let me first look at the Dependabot alert details and the repo's dependency configuration to understand what needs to be fixed.

Assistant: I can't directly access Dependabot security alert details through the API. Let me look at the open Dependabot PRs and recent security-related activity to understand what alert #345 might be about.

Assistant: I can't directly access the Dependabot alert details through the API, so let me look at the security-related files and recent vulnerability patterns in the repo to understand what alert #345 migh...

This pull request was created from Copilot chat.

[netlify]

✅ Deploy Preview for nifty-bassi-e26446 ready!

Name	Link
🔨 Latest commit	6236131
🔍 Latest deploy log	https://app.netlify.com/projects/nifty-bassi-e26446/deploys/69cd84009a34030008e0cf41
😎 Deploy Preview	https://deploy-preview-3946--nifty-bassi-e26446.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.