chore(deps): bump taiki-e/install-action from 2.58.30 to 2.62.2#53
Merged
gilescope merged 2 commits intoSep 23, 2025
Merged
Conversation
Bumps [taiki-e/install-action](https://github.com/taiki-e/install-action) from 2.58.30 to 2.62.2. - [Release notes](https://github.com/taiki-e/install-action/releases) - [Changelog](https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md) - [Commits](taiki-e/install-action@c0dee14...cd39cb0) --- updated-dependencies: - dependency-name: taiki-e/install-action dependency-version: 2.62.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Contributor
|
Great job! No new security vulnerabilities introduced in this pull request |
gilescope
approved these changes
Sep 23, 2025
m2ux
added a commit
that referenced
this pull request
Apr 22, 2026
Add zeroize dependency and use it to clear intermediate buffers and hex-encoded signing key strings in execute_deploy and execute_maintain to prevent sensitive material from lingering in memory. - Add zeroize = "1" to util/toolkit/Cargo.toml - Import zeroize::Zeroize in toolkit_js/mod.rs - Add zeroize_string helper for heap-allocated Strings - Zeroize raw signing key bytes after hex encoding in deploy - Zeroize hex signing key after toolkit-js execution in deploy - Zeroize new_authority hex after toolkit-js execution in maintain Refs: #53 Signed-off-by: Mike Clay <mike.clay@shielded.io> Made-with: Cursor
m2ux
added a commit
that referenced
this pull request
Apr 30, 2026
…eploy/maintain PM-22038 inadvertently reverted the PM-22034 zeroization fix when this file was re-touched. The Vec<u8> from serialize_untagged(...signing_key()) and the hex String it's encoded into are not covered by WalletSeed's ZeroizeOnDrop, so they need explicit zeroization on both success and error paths. Refs: PM-22034, #53 Signed-off-by: Mike Clay <mike.clay@shielded.io>
RomarQ
pushed a commit
to RomarQ/midnight-node
that referenced
this pull request
May 5, 2026
… buffers (midnightntwrk#1379) * Add change file for incomplete zeroization buffers fix Issue: midnightntwrk/midnight-security#53 Signed-off-by: Mike Clay <mike.clay@shielded.io> Made-with: Cursor * fix(toolkit): zeroize signing key buffers after use Add zeroize dependency and use it to clear intermediate buffers and hex-encoded signing key strings in execute_deploy and execute_maintain to prevent sensitive material from lingering in memory. - Add zeroize = "1" to util/toolkit/Cargo.toml - Import zeroize::Zeroize in toolkit_js/mod.rs - Add zeroize_string helper for heap-allocated Strings - Zeroize raw signing key bytes after hex encoding in deploy - Zeroize hex signing key after toolkit-js execution in deploy - Zeroize new_authority hex after toolkit-js execution in maintain Refs: midnightntwrk#53 Signed-off-by: Mike Clay <mike.clay@shielded.io> Made-with: Cursor * fix(toolkit): remove custom unsafe zeroize helper, fix error-path zeroization - Replace custom zeroize_string helper with direct String::zeroize() from the zeroize crate, eliminating local unsafe. - Fix error-path zeroization gap by zeroizing strings before propagating execute_js errors via ? operator. Signed-off-by: Mike Clay <mike.clay@shielded.io> Made-with: Cursor * docs: add PR link to changes file Signed-off-by: Mike Clay <mike.clay@shielded.io> Made-with: Cursor * chore(toolkit): promote zeroize to workspace dependency --------- Signed-off-by: Mike Clay <mike.clay@shielded.io>
RomarQ
pushed a commit
to RomarQ/midnight-node
that referenced
this pull request
May 5, 2026
…idnightntwrk#1217) * fix: harden WalletSeed, Keypair, and address code quality (PM-22038) Address Least Authority audit Suggestion 3 (A2): - WalletSeed: remove Copy (required for ZeroizeOnDrop), add Zeroize+ZeroizeOnDrop, implement redacted Debug that prints WalletSeed::<variant>(***) instead of raw bytes. Keep Clone (needed for HashMap dual-ownership pattern) and Hash/PartialEq/Eq (required for HashMap<WalletSeed, Wallet<D>> key). - Keypair: remove Clone (zero callers — pure parsing wrapper). - MaintenanceUpdateBuilder::add_addresses: accept &[MaintenanceCounter] and use zip iterator instead of unchecked index loop, eliminating potential index out-of-bounds panic. - WalletSeed::try_from_lazy_hex: pre-validate hex string length (max 128 hex chars) before calling hex::decode, preventing memory allocation from oversized untrusted input. - Fix all Copy-removal compilation errors across ledger/helpers and util/toolkit by adding explicit .clone() at ownership transfer points. - Add unit tests for redacted Debug output, hex length validation, zip truncation safety, and HashMap key compatibility. Made-with: Cursor Signed-off-by: Mike Clay <mike.clay@shielded.io> * fix: add explicit Clone calls where WalletSeed lost Copy trait WalletSeed no longer derives Copy (removed for security hardening). Two test helpers and one genesis utility need explicit .clone() to construct owned values from borrows. Made-with: Cursor Signed-off-by: Mike Clay <mike.clay@shielded.io> * fix: add Clone calls for WalletSeed in e2e tests and fix formatting Add explicit .clone() on WalletSeed in e2e tests and format merge-resolved files to satisfy CI cargo fmt check. Made-with: Cursor Signed-off-by: Mike Clay <mike.clay@shielded.io> * fix: remaining Clone calls and cargo fmt formatting Add .clone() for WalletSeed in transaction, utxo_spend, dust_balance, generate_intent, show_wallet, and contract_maintenance. Apply cargo fmt. Made-with: Cursor Signed-off-by: Mike Clay <mike.clay@shielded.io> * chore: add change file for PM-22038 (PR midnightntwrk#1217) Made-with: Cursor Signed-off-by: Mike Clay <mike.clay@shielded.io> * fix: add GitHub issue reference to changes file Signed-off-by: Mike Clay <mike.clay@shielded.io> * fix: add missing .clone() for WalletSeed after Copy removal Made-with: Cursor Signed-off-by: Mike Clay <mike.clay@shielded.io> * fix(toolkit): restore zeroization of signing-key buffers in execute_deploy/maintain PM-22038 inadvertently reverted the PM-22034 zeroization fix when this file was re-touched. The Vec<u8> from serialize_untagged(...signing_key()) and the hex String it's encoded into are not covered by WalletSeed's ZeroizeOnDrop, so they need explicit zeroization on both success and error paths. Refs: PM-22034, midnightntwrk#53 Signed-off-by: Mike Clay <mike.clay@shielded.io> * chore: update Cargo.lock for toolkit zeroize dep Signed-off-by: Mike Clay <mike.clay@shielded.io> --------- Signed-off-by: Mike Clay <mike.clay@shielded.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps taiki-e/install-action from 2.58.30 to 2.62.2.
Release notes
Sourced from taiki-e/install-action's releases.
... (truncated)
Changelog
Sourced from taiki-e/install-action's changelog.
... (truncated)
Commits
cd39cb0Release 2.62.2bfb416bUpdatevacuum@latestto 0.18.5df23533Updatecargo-shear@latestto 1.5.2029e015Updatecargo-deny@latestto 0.18.5d6912b4Release 2.62.1ac4d226Updatemise@latestto 2025.9.15a878b70Updatecargo-udeps@latestto 0.1.5916ab0e7Updategit-cliff@latestto 2.10.10e09747Release 2.62.01856fd6Update changelogDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)