fix(security): update rustls-webpki for dependabot alert

2026-05-06 20:02:49 +08:00 · 2026-04-25 11:25:24 +08:00
parent e6616deb1b
commit a3a1c4db82
2 changed files with 3 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -27,6 +27,7 @@
 - **Hermes Gateway 启动自修复** — 启动前自动检查并修复 `platforms.api_server.enabled`，避免升级或手动编辑配置后 Gateway 缺失 `/v1/runs` 能力
 - **Web/桌面下载行为分流** — `hermes_logs_download` 根据运行时区分桌面真实落盘与 Web Blob 下载，避免 Web 模式误保存到服务端目录
 - **普通记忆文件下载提示** — Blob 下载提示改为说明浏览器默认下载目录，减少“下载没落点”的误解
+- **Dependabot #11** — 升级 `rustls-webpki` 至 `0.103.13`，修复畸形 CRL BIT STRING 触发 panic 的拒绝服务风险

 ## [0.13.4] - 2026-04-20

--- a/src-tauri/Cargo.lock
+++ b/src-tauri/Cargo.lock
@@ -3265,9 +3265,9 @@ dependencies = [

 [[package]]
 name = "rustls-webpki"
-version = "0.103.12"
+version = "0.103.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8279bb85272c9f10811ae6a6c547ff594d6a7f3c6c6b02ee9726d1d0dcfcdd06"
+checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e"
 dependencies = [
 "ring",
 "rustls-pki-types",