dev: fix dep warnings originating from `trunk check --all`

[Eikix]

Address Security Vulnerabilities and Lint Issues Identified by Trunk Check

Description

Running trunk check --all at the root of the repository revealed 12 security vulnerabilities in dependencies listed in Cargo.lock and 2 lint issues in the codebase. This issue tracks the necessary updates and refactoring to resolve these problems, prioritized by severity and impact.

Security Vulnerabilities (Cargo.lock)

The following dependencies have known vulnerabilities or maintenance issues. Proposed actions include updating to patched versions (where available) or replacing unmaintained crates.

1. High Priority: array-init-cursor (v0.2.0)

   • Issues:
     • Unsound when used with types implementing Drop (GHSA-67r5-rqwv-9p9q, RUSTSEC-2025-0019).
   • Action: No patched version exists. Replace with a maintained alternative (e.g., arrayvec or manual array initialization).
   • Line: 536:0

2. High Priority: openssl (v0.10.71)

   • Issues:
     • Use-after-free in Md::fetch and Cipher::fetch (GHSA-4fcv-w3qc-ppgg, RUSTSEC-2025-0022).
   • Action: Update to openssl v0.10.72 or later if available, or switch to rustls for a safer alternative.
   • Line: 2774:0

3. High Priority: paste (v1.0.15)

   • Issue: No longer maintained (RUSTSEC-2024-0436).
   • Action: Replace with an actively maintained crate like quote or syn for code generation needs.
   • Line: 2884:0

4. High Priority: pyo3 (v0.23.5)

   • Issues:
     • Buffer overflow risk in PyString::from_object (GHSA-pph8-gcv7-4qj5, RUSTSEC-2025-0020).
   • Action: Update to pyo3 v0.23.6 or later if patched, or review usage to mitigate risk.
   • Line: 3561:0

5. High Priority: ring (v0.17.11)

   • Issues:
     • AES functions may panic with overflow checking enabled (RUSTSEC-2025-0009).
   • Action: Update to ring v0.17.12 or later if patched, or switch to aes crate from Rust Crypto.
   • Line: 4056:0

6. High Priority: tokio (v1.43.0)

   • Issues:
     • Broadcast channel calls clone in parallel without requiring Sync (GHSA-rr8g-9fpq-6wmg, RUSTSEC-2025-0023).
   • Action: Update to tokio v1.44.0 or later if patched, or enforce Sync bounds manually.
   • Line: 5105:0

7. High Priority: derivative (v2.2.0)

   • Issue: Unmaintained (RUSTSEC-2024-0388).
   • Action: Replace with derive_more or another maintained derive crate.
   • Line: 1279:0

8. Medium Priority: ring (v0.17.11)

   • Issue:
     • Additional note on AES panic issue (GHSA-4p46-pwfr-66x6).
   • Action: Same as above (update or replace).
   • Line: 4056:0

9. Medium Priority: rust-openssl (v0.10.71)

   • Issue:
     • Use-after-free overlap with openssl (GHSA-4fcv-w3qc-ppgg).
   • Action: Same as openssl above.
   • Line: 2774:0

10. Low Priority: pyo3 (v0.23.5)

    • Issue:
      • Lower-severity note on buffer overflow (GHSA-pph8-gcv7-4qj5).
    • Action: Same as above (update or review).
    • Line: 3561:0

11. Low Priority: tokio (v1.43.0)

    • Issue:
      • Lower-severity note on broadcast channel (GHSA-rr8g-9fpq-6wmg).
    • Action: Same as above (update or enforce bounds).
    • Line: 5105:0

12. Low Priority: array-init-cursor (v0.2.0)

    • Issue:
      • Lower-severity note on unsoundness (GHSA-67r5-rqwv-9p9q).
    • Action: Same as above (replace).
    • Line: 536:0

Lint Issues (Codebase)

The following functions exceed the recommended number of arguments per Clippy’s too_many_arguments rule (max 7).

1. Medium Priority: crates/cairo-addons/src/vm/pythonic_hint.rs:175:5

   • Issue: Function has 8 arguments.
   • Action: Refactor to use a struct or builder pattern to group related arguments.
   • Line: 175:5

2. Medium Priority: crates/cairo-addons/src/vm/runner.rs:74:5

   • Issue: Function has 9 arguments.
   • Action: Refactor to use a struct or builder pattern to group related arguments.
   • Line: 74:5

Steps to Resolve

1. Dependency Updates: Run cargo update and manually adjust versions in Cargo.toml where necessary. Replace unmaintained crates with alternatives.
2. Code Refactoring: Address lint issues by refactoring functions with excessive arguments.
3. Verification: Re-run trunk check --all to confirm all issues are resolved.

Priority Rationale

• High: Critical security vulnerabilities (e.g., use-after-free, buffer overflows) or unmaintained crates that require immediate replacement.
• Medium: Non-critical security issues or code quality improvements that should be addressed soon.
• Low: Lower-severity duplicates of higher-priority issues, less urgent but still actionable.

Additional Notes

• Assign this issue to the appropriate team member(s).
• Consider automating dependency updates with a tool like Dependabot to prevent future vulnerabilities.

[Eikix]

Tried generating this with Grok, open to feedback whether we want to address warnings