Skip to content

fix(security): imageproc 0.26 + NaN panic hardening across ruvllm/ruvector-postgres#505

Merged
ruvnet merged 1 commit into
research/connectome-ruvectorfrom
fix/security-audit-2026-05-23-v2
May 23, 2026
Merged

fix(security): imageproc 0.26 + NaN panic hardening across ruvllm/ruvector-postgres#505
ruvnet merged 1 commit into
research/connectome-ruvectorfrom
fix/security-audit-2026-05-23-v2

Conversation

@ruvnet
Copy link
Copy Markdown
Owner

@ruvnet ruvnet commented May 23, 2026

Summary

Security hardening for the Connectome-OS / RuVector workspace, targeting the `research/connectome-ruvector` branch (which backs the Connectome-OS project).

RUSTSEC Advisory Fixes

Advisory Crate Fix
RUSTSEC-2026-0115 imageproc 0.25.0 — improper bounds check Bumped to 0.26.2 in examples/scipix/Cargo.toml
RUSTSEC-2026-0116 imageproc 0.25.0 — fragile bounds check Same bump
RUSTSEC-2026-0117 imageproc 0.25.0 — fragile sampling Same bump
RUSTSEC-2024-0421 idna 0.5.0 via validator 0.18 validator → 0.20 (already on base branch)
RUSTSEC-2026-0098/0099/0104 rustls-webpki 0.101.7/0.103.10 reqwest → 0.12, webpki pinned to 0.103.13 (already on base)

Stale ignore entries for the three imageproc advisories removed from .cargo/audit.toml (now actually fixed rather than suppressed).

NaN Panic Hardening (partial_cmp → total_cmp)

Replaced all remaining bare .partial_cmp(...).unwrap() calls — which panic if NaN enters a float slice — with .total_cmp(...) (stable Rust 1.62+, total order, no panic) in production source files:

  • crates/ruvllm/src/claude_flow/agent_router.rs — score max/sort
  • crates/ruvllm/src/claude_flow/task_classifier.rs — task score sort
  • crates/ruvllm/src/evaluation/economics.rs — percentile computation
  • crates/ruvllm/src/metal/operations.rs — argmax over logit arrays
  • crates/ruvllm/src/qat/calibration.rs — quantization percentile
  • crates/ruvllm/src/training/grpo.rs — reward/advantage max lookup
  • crates/ruvector-postgres/src/healing/strategies.rs — strategy weight max
  • crates/ruvector-postgres/src/learning/patterns.rs — k-means++ distance
  • crates/ruvector-postgres/src/learning/reasoning_bank.rs — similarity sort
  • crates/ruvector-postgres/src/math/operators.rs — Wasserstein CDF sort
  • crates/ruvector-postgres/src/quantization/binary.rs — rerank sort
  • crates/ruvector-postgres/src/sparse/types.rs — top-k sparse abs sort
  • crates/ruvector-solver/src/forward_push.rs — argmax in test assertion

Test plan

  • cargo audit --no-fetch reports zero vulnerabilities
  • cargo check -p connectome-fly compiles with no errors
  • cargo check -p ruvllm compiles with no errors
  • CI passes

🤖 Generated with claude-flow

@ruvnet
fix(security): imageproc 0.26, NaN panic hardening, audit.toml cleanup
07e1962 
Build on the existing security audit branch with additional hardening:

- **RUSTSEC-2026-0115/0116/0117**: Bump `imageproc 0.25` → `0.26.2` in
  `examples/scipix/Cargo.toml`. All three soundness notices (improper bounds
  checks and fragile sampling code) are fixed in 0.26.x. Remove the
  now-stale ignore entries from `.cargo/audit.toml`.

Replace remaining bare `.partial_cmp(...).unwrap()` — which panics when
NaN appears in the slice — with `.total_cmp(...)` (stable since Rust 1.62,
NaN-total, no panic) in production source files:

- `crates/ruvllm/src/claude_flow/agent_router.rs` (score max/sort)
- `crates/ruvllm/src/claude_flow/task_classifier.rs` (score sort)
- `crates/ruvllm/src/evaluation/economics.rs` (percentile sort)
- `crates/ruvllm/src/metal/operations.rs` (argmax over logits)
- `crates/ruvllm/src/qat/calibration.rs` (percentile sort)
- `crates/ruvllm/src/training/grpo.rs` (reward/advantage max)
- `crates/ruvector-postgres/src/healing/strategies.rs` (strategy weight max)
- `crates/ruvector-postgres/src/learning/patterns.rs` (k-means++ distance)
- `crates/ruvector-postgres/src/learning/reasoning_bank.rs` (similarity sort)
- `crates/ruvector-postgres/src/math/operators.rs` (Wasserstein sort)
- `crates/ruvector-postgres/src/quantization/binary.rs` (rerank sort)
- `crates/ruvector-postgres/src/sparse/types.rs` (top-k sparse abs sort)
- `crates/ruvector-solver/src/forward_push.rs` (argmax in test)

Co-Authored-By: claude-flow <ruv@ruv.net>
@ruvnet ruvnet force-pushed the fix/security-audit-2026-05-23-v2 branch from 6c6dadd to 07e1962 Compare May 23, 2026 09:47
@ruvnet ruvnet merged commit 8667f1f into research/connectome-ruvector May 23, 2026
10 of 24 checks passed
@ruvnet ruvnet deleted the fix/security-audit-2026-05-23-v2 branch May 23, 2026 09:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ruvnet