Resolve RUSTSEC-2026-0049 rustls-webpki CRL matching vulnerability

[HudsonGraeme]

Summary

• Upgrades rustls-webpki from 0.103.9 to 0.103.10 to resolve RUSTSEC-2026-0049 (faulty CRL Distribution Point matching)
• RUSTSEC-2026-0037 (quinn-proto DoS) was already resolved in Resolve unauthenticated remote DoS in quinn-proto QUIC parsing #54

Only Cargo.lock is modified; no source changes. The patched version is within semver-compatible range, pulled via cargo update rustls-webpki@0.103.9.

Verification

• cargo audit confirms neither RUSTSEC-2026-0037 nor RUSTSEC-2026-0049 appear
• cargo clippy --workspace -- -D warnings passes clean
• cargo fmt --check passes

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 60fafa44-d3d2-4c6a-afa8-e0e6cf28ab4e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch resolve/transitive-dependency-vulnerabilities

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}