chore(deps): update aws-lc-rs/aws-lc-sys and rustls-webpki

[jdx]

Summary

• Update aws-lc-rs 1.15.4 → 1.16.2 and aws-lc-sys 0.37.0 → 0.39.0 to fix RUSTSEC-2026-0044 through 0048
• Update rustls-webpki 0.103.9 → 0.103.10 to fix RUSTSEC-2026-0049
• Ignore RUSTSEC-2026-0049 for rustls-webpki 0.101.7 (pinned by rustls 0.21 in aws-smithy-http-client, no safe upgrade available upstream)

Test plan

• cargo deny check passes
• CI lint job passes

🤖 Generated with Claude Code

---

Note

Medium Risk
Updates core TLS/crypto dependencies (aws-lc-*, rustls-webpki) and adjusts advisory handling, which can subtly affect certificate validation and TLS behavior even though changes are dependency-only.

Overview
Updates the Rust dependency lockfile to pull in patched security-related crates, notably aws-lc-rs/aws-lc-sys and rustls-webpki (plus associated transitive version shifts like windows-sys, windows-registry, and base64).

Adds a cargo-deny advisory ignore entry for RUSTSEC-2026-0049 to acknowledge an un-upgradable rustls-webpki 0.101.7 pulled via rustls 0.21/aws-smithy-http-client.

^{Written by Cursor Bugbot for commit ef8bbfd. This will update automatically on new commits. Configure here.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request primarily focuses on enhancing the project's security by updating several key dependencies in the Cargo.lock file. The updates specifically target aws-lc-rs, aws-lc-sys, and rustls-webpki to mitigate multiple identified security vulnerabilities. A temporary ignore rule has been introduced for a rustls-webpki vulnerability that is currently unresolvable due to upstream dependency constraints, ensuring that the project remains compliant with security checks while acknowledging the limitation.

Highlights

• Security Updates for AWS-LC: Updated aws-lc-rs from 1.15.4 to 1.16.2 and aws-lc-sys from 0.37.0 to 0.39.0, addressing RUSTSEC-2026-0044 through 0048.
• Security Update for Rustls-Webpki: Updated rustls-webpki from 0.103.9 to 0.103.10, resolving RUSTSEC-2026-0049.
• Temporary Security Advisory Ignore: Added an ignore rule in deny.toml for RUSTSEC-2026-0049 for rustls-webpki version 0.101.7, as a safe upgrade is not currently available due to transitive dependency constraints.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[greptile-apps]

Greptile Summary

This PR is a targeted security dependency update that resolves RUSTSEC-2026-0044 through 0048 (via aws-lc-rs/aws-lc-sys upgrades) and RUSTSEC-2026-0049 (via rustls-webpki upgrade), while correctly acknowledging the one unfixable instance of the latter through a pinned transitive dependency.

• aws-lc-rs 1.15.4 → 1.16.2 and aws-lc-sys 0.37.0 → 0.39.0: Fixes RUSTSEC-2026-0044 through 0048 in the AWS-LC cryptographic backend.
• rustls-webpki 0.103.9 → 0.103.10: Fixes RUSTSEC-2026-0049 for the primary TLS certificate verification path.
• deny.toml advisory ignore: RUSTSEC-2026-0049 is suppressed for rustls-webpki 0.101.7, which is transitively pulled in by rustls 0.21 inside aws-smithy-http-client — a pinned path with no available upstream fix. The reason is clearly documented.
• Indirect dependency churn in Cargo.lock: The aws-lc-sys upgrade cascades into several other packages resolving to windows-sys 0.59.0 (from 0.61.2), itertools 0.12.1 (from 0.13.0 in bindgen), and removal of windows-registry 0.6.1. These are normal Cargo dependency resolution side-effects and do not introduce any new security concerns.

Confidence Score: 5/5

• This PR is safe to merge — it applies known security fixes with no logic changes and appropriately documents the one advisory that cannot be fully remediated.
• Both changed files are purely dependency metadata (Cargo.lock) and advisory configuration (deny.toml). The deny.toml advisory suppression is narrowly scoped, well-reasoned, and mirrors the established pattern of other entries in that file. The unfixable rustls-webpki 0.101.7 path is a well-known limitation of the aws-smithy-http-client ecosystem. No application logic, APIs, or tests are touched.
• No files require special attention

Important Files Changed

Filename	Overview
Cargo.lock	Updates aws-lc-rs (1.15.4→1.16.2), aws-lc-sys (0.37.0→0.39.0), and rustls-webpki (0.103.9→0.103.10) to fix security advisories; indirect dependency graph changes include several packages moving from windows-sys 0.61.2→0.59.0 and bindgen switching from itertools 0.13.0→0.12.1
deny.toml	Adds an advisory ignore for RUSTSEC-2026-0049 (rustls-webpki 0.101.7 pinned via rustls 0.21 in aws-smithy-http-client) with clear documented rationale; the ignore is advisory-level and will suppress all instances, but this is acceptable because the fixable 0.103.x path has been updated to 0.103.10

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    subgraph Fixed["✅ Fixed by this PR"]
        ALS["aws-lc-rs 1.16.2\n+ aws-lc-sys 0.39.0\n(RUSTSEC-2026-0044..0048)"]
        RWP["rustls-webpki 0.103.10\n(RUSTSEC-2026-0049)"]
    end

    subgraph Suppressed["⚠️ Suppressed in deny.toml"]
        RWP_OLD["rustls-webpki 0.101.7\n(RUSTSEC-2026-0049)\nno upstream fix available"]
    end

    subgraph Chain["Pinned dependency chain"]
        SMITHY["aws-smithy-http-client"] --> RUSTLS21["rustls 0.21"] --> RWP_OLD
    end

    RWP --> RUSTLS23["rustls 0.23.x (modern TLS path)"]
    ALS --> RWP

Loading

_{Last reviewed commit: "chore(deps): update ..."}

[gemini-code-assist]

Code Review

This pull request updates several dependencies to address multiple security vulnerabilities. The changes primarily involve updating Cargo.lock and adding an ignore rule to deny.toml. My review found a significant typo in the RUSTSEC advisory ID being ignored, which would make the rule ineffective. I've provided a correction and suggested adding a link to the upstream issue for better maintainability.

[gemini-code-assist]

There's a typo in the RUSTSEC advisory ID. It should be RUSTSEC-2024-0049, not RUSTSEC-2026-0049. With the incorrect ID, cargo deny won't ignore the correct advisory, likely causing the security check to fail.

For easier maintenance, please also add a link to the upstream issue tracking this, which appears to be awslabs/aws-sdk-rust#1211. This will help in tracking when this ignore can be removed.

Suggested change

	{ id = "RUSTSEC-2026-0049", reason = "rustls-webpki 0.101.7 via rustls 0.21 in aws-smithy-http-client - no safe upgrade available" },
	{ id = "RUSTSEC-2024-0049", reason = "rustls-webpki 0.101.7 via rustls 0.21 in aws-smithy-http-client - no safe upgrade available, see https://github.com/awslabs/aws-sdk-rust/issues/1211" },

[github-actions]

Hyperfine Performance

mise x -- echo

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.3.9 x -- echo	24.5 ± 0.6	23.4	30.1	1.01 ± 0.05
mise x -- echo	24.2 ± 1.0	23.3	35.5	1.00

mise env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.3.9 env	23.8 ± 0.8	22.8	30.2	1.00
mise env	24.1 ± 0.7	22.8	26.9	1.01 ± 0.05

mise hook-env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.3.9 hook-env	24.2 ± 0.4	23.5	26.9	1.00
mise hook-env	24.7 ± 0.6	23.4	27.0	1.02 ± 0.03

mise ls

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.3.9 ls	23.5 ± 1.5	22.4	45.4	1.01 ± 0.07
mise ls	23.3 ± 0.6	22.7	32.8	1.00

xtasks/test/perf

Command	mise-2026.3.9	mise	Variance
install (cached)	151ms	151ms	+0%
ls (cached)	83ms	83ms	+0%
bin-paths (cached)	87ms	86ms	+1%
task-ls (cached)	819ms	828ms	-1%