Skip to content

fix(deps): trim bat to resolve RUSTSEC-2024-0320#7061

Merged
codefromthecrypt merged 1 commit intomainfrom
fix/remove-yaml-rust-dep
Feb 8, 2026
Merged

fix(deps): trim bat to resolve RUSTSEC-2024-0320#7061
codefromthecrypt merged 1 commit intomainfrom
fix/remove-yaml-rust-dep

Conversation

@codefromthecrypt
Copy link
Collaborator

@codefromthecrypt codefromthecrypt commented Feb 7, 2026

Summary

Resolve RUSTSEC-2024-0320 (yaml-rust unmaintained) by trimming bat to only the features goose-cli actually uses.

Type of Change

  • Security fix

AI Assistance

  • This PR was created or reviewed with AI assistance

Testing

cargo check -p goose-cli
cargo tree -i yaml-rust  # errors with "did not match any packages"

Related Issues

Fixes #7010

@codefromthecrypt
fix(deps): trim bat to resolve RUSTSEC-2024-0320
060776d 
Signed-off-by: Adrian Cole <adrian@tetrate.io>
Copilot AI review requested due to automatic review settings February 7, 2026 00:16
Copilot AI reviewed Feb 7, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses RUSTSEC-2024-0320 by reducing goose-cli’s dependency surface for bat, disabling bat’s default features and enabling only the feature(s) needed by the CLI so that yaml-rust is no longer pulled into the dependency tree.

Changes:

  • Update goose-cli’s bat dependency to default-features = false with a minimal feature set (regex-onig).
  • Refresh Cargo.lock to reflect the trimmed transitive dependency graph, removing yaml-rust and related unused crates.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
crates/goose-cli/Cargo.toml Disables bat default features and enables only regex-onig to avoid pulling unnecessary transitive deps.
Cargo.lock Updates the resolved dependency graph; removes yaml-rust and multiple transitive crates no longer required.

@codefromthecrypt codefromthecrypt added this pull request to the merge queue Feb 8, 2026
Merged via the queue into main with commit a251fec Feb 8, 2026
24 checks passed
@codefromthecrypt codefromthecrypt deleted the fix/remove-yaml-rust-dep branch February 8, 2026 02:24
tlongwell-block added a commit that referenced this pull request Feb 9, 2026
@tlongwell-block
Merge remote-tracking branch 'origin/main' into summon_extension
0332ddc 
* origin/main: (55 commits)
  test(mcp): add image tool test and consolidate MCP test fixtures (#7019)
  fix: remove Option from model listing return types, propagate errors (#7074)
  fix: lazy provider creation for goose acp (#7026) (#7066)
  Smoke tests: split compaction test and use debug build (#6984)
  fix(deps): trim bat to resolve RUSTSEC-2024-0320 (#7061)
  feat: expose AGENT_SESSION_ID env var to extension child processes (#7072)
  fix: add XML tool call parsing fallback for Qwen3-coder via Ollama (#6882)
  Remove clippy too_many_lines lint and decompose long functions (#7064)
  refactor: move disable_session_naming into AgentConfig (#7062)
  Add global config switch to disable automatic session naming (#7052)
  docs: add blog post - 8 Things You Didn't Know About Code Mode (#7059)
  fix: ensure animated elements are visible when prefers-reduced-motion is enabled (#7047)
  Show recommended model on failture (#7040)
  feat(ui): add session content search via API (#7050)
  docs: fix img url (#7053)
  Desktop UI for deleting custom providers (#7042)
  Add blog post: How I Used RPI to Build an OpenClaw Alternative (#7051)
  Remove build-dependencies section from Cargo.toml (#6946)
  add /rp-why skill blog post (#6997)
  fix: fix snake_case function names in code_execution instructions (#7035)
  ...

# Conflicts:
#	scripts/test_subrecipes.sh
lifeizhou-ap added a commit that referenced this pull request Feb 9, 2026
@lifeizhou-ap
Merge branch 'main' into lifei/build-monitor
0f8a539 
* main: (101 commits)
  fix: lazy provider creation for goose acp (#7026) (#7066)
  Smoke tests: split compaction test and use debug build (#6984)
  fix(deps): trim bat to resolve RUSTSEC-2024-0320 (#7061)
  feat: expose AGENT_SESSION_ID env var to extension child processes (#7072)
  fix: add XML tool call parsing fallback for Qwen3-coder via Ollama (#6882)
  Remove clippy too_many_lines lint and decompose long functions (#7064)
  refactor: move disable_session_naming into AgentConfig (#7062)
  Add global config switch to disable automatic session naming (#7052)
  docs: add blog post - 8 Things You Didn't Know About Code Mode (#7059)
  fix: ensure animated elements are visible when prefers-reduced-motion is enabled (#7047)
  Show recommended model on failture (#7040)
  feat(ui): add session content search via API (#7050)
  docs: fix img url (#7053)
  Desktop UI for deleting custom providers (#7042)
  Add blog post: How I Used RPI to Build an OpenClaw Alternative (#7051)
  Remove build-dependencies section from Cargo.toml (#6946)
  add /rp-why skill blog post (#6997)
  fix: fix snake_case function names in code_execution instructions (#7035)
  Document max_turns settings for recipes and subagents (#7044)
  feat: update Groq declarative data with Preview Models (#7023)
  ...
jh-block added a commit that referenced this pull request Feb 9, 2026
@jh-block
Merge remote-tracking branch 'origin/main' into local-models-candle
a62b0d8 
* origin/main: (54 commits)
  chore: strip posthog for sessions/models/daily only (#7079)
  tidy: clean up old benchmark and add gym (#7081)
  fix: use command.process_group(0) for CLI providers, not just MCP (#7083)
  added build notify (#6891)
  test(mcp): add image tool test and consolidate MCP test fixtures (#7019)
  fix: remove Option from model listing return types, propagate errors (#7074)
  fix: lazy provider creation for goose acp (#7026) (#7066)
  Smoke tests: split compaction test and use debug build (#6984)
  fix(deps): trim bat to resolve RUSTSEC-2024-0320 (#7061)
  feat: expose AGENT_SESSION_ID env var to extension child processes (#7072)
  fix: add XML tool call parsing fallback for Qwen3-coder via Ollama (#6882)
  Remove clippy too_many_lines lint and decompose long functions (#7064)
  refactor: move disable_session_naming into AgentConfig (#7062)
  Add global config switch to disable automatic session naming (#7052)
  docs: add blog post - 8 Things You Didn't Know About Code Mode (#7059)
  fix: ensure animated elements are visible when prefers-reduced-motion is enabled (#7047)
  Show recommended model on failture (#7040)
  feat(ui): add session content search via API (#7050)
  docs: fix img url (#7053)
  Desktop UI for deleting custom providers (#7042)
  ...
@github-actions github-actions bot mentioned this pull request Feb 10, 2026
Open
Tyler-Hardin pushed a commit to Tyler-Hardin/goose that referenced this pull request Feb 11, 2026
@codefromthecrypt @Tyler-Hardin
fix(deps): trim bat to resolve RUSTSEC-2024-0320 (block#7061)
8e8f018 
Signed-off-by: Adrian Cole <adrian@tetrate.io>
Tyler-Hardin pushed a commit to Tyler-Hardin/goose that referenced this pull request Feb 11, 2026
@codefromthecrypt @Tyler-Hardin
fix(deps): trim bat to resolve RUSTSEC-2024-0320 (block#7061)
c8f6b26 
Signed-off-by: Adrian Cole <adrian@tetrate.io>
@BrewTestBot BrewTestBot mentioned this pull request Feb 12, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@alexhancock alexhancock alexhancock approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

RUSTSEC-2024-0320: yaml-rust is unmaintained.

2 participants

@codefromthecrypt @alexhancock