fix(security): Consolidate remaining PRs with RUSTSEC-2026-0002 security fix

[doublegate]

Summary

This PR consolidates the remaining 3 open PRs (#45, #32, #27) by:

1. Applying critical security fix from PR chore(deps): bump iced from 0.13.1 to 0.14.0 #45 (RUSTSEC-2026-0002 lru vulnerability)
2. Documenting why other PRs are superseded or deferred

Security Fix Applied (from PR #45)

• Advisory: RUSTSEC-2026-0002
• Affected Package: lru 0.12.5 (transitive dependency via iced_glyphon)
• Issue: IterMut violates Stacked Borrows by invalidating internal pointers
• Fix: Vendor patched iced_glyphon v0.6.0 with lru updated to v0.16.3

Dependency Chain Fixed:

rustirc -> rustirc-gui -> iced 0.13.1 -> iced_wgpu -> iced_glyphon -> lru

PRs Consolidated

PR	Title	Status	Notes
#45	iced 0.14.0 upgrade	Partially Applied	Security fix extracted; full migration deferred (82+ breaking changes)
#32	ANSI escape fix	Superseded	Content already in main (scripts/README.md, url_logger.lua)
#27	Phase 4 docs	Superseded	Nearly identical to #32; content already in main

Why iced 0.14.0 Full Migration is Deferred

Analysis of PR #45 showed 82 compilation errors across these categories:

• 42x Space::with_width -> Space::width (API rename)
• 5x text_input::Status enum changes
• 5x Pixels trait bound changes (u16 -> f32)
• 4x missing snap field in Style structs
• Multiple scrollable/pane_grid API changes

This is manageable but requires dedicated effort and testing. Recommended: Create separate iced 0.14.0 migration PR.

Code Quality Improvements

• Add Default derive to PluginCapabilities (clippy::derivable_impls)
• Add dead_code allows for reserved Phase 4+ fields in ScriptApi

Verification

• cargo fmt --check - Zero formatting issues
• cargo clippy --workspace -- -D warnings - Zero warnings
• cargo test --workspace --lib --bins - All unit tests pass
• cargo test --workspace --doc - All doctests pass
• Security fix verified: lru v0.16.3 in dependency tree

Test Plan

• CI pipeline passes on all platforms (Linux, macOS, Windows)
• No regression in existing GUI functionality
• Security audit passes with patched lru

Files Changed

• Cargo.toml - Added patch section for iced_glyphon
• Cargo.lock - Updated with patched dependencies
• SECURITY-FIX-RUSTSEC-2026-0002.md - Documentation of security fix
• vendor/ - Patched iced_glyphon source
• crates/rustirc-plugins/src/api.rs - Clippy fix
• crates/rustirc-scripting/src/api.rs - Clippy fix

Recommended Follow-up

• Create separate PR for full iced 0.14.0 migration
• Close PRs docs: Update documentation for Phase 4 Scripting completion #27, Copilot/fix ansi escape sequence issue #32 as superseded
• Consider closing PR chore(deps): bump iced from 0.13.1 to 0.14.0 #45 with note about security fix applied

---

Generated with Claude Code

---

Note

Applies the RUSTSEC-2026-0002 fix and streamlines minor APIs.

• Security: Adds crates-io patch in Cargo.toml to vendor iced_glyphon with lru upgraded to 0.16.3; references SECURITY-FIX-RUSTSEC-2026-0002.md.
• Plugins: Derives Default for PluginCapabilities and removes the manual Default impl.
• Scripting: Cleans unused imports and marks future Phase 4 fields with #[allow(dead_code)] in ScriptApi.

^{Written by Cursor Bugbot for commit a73cef7. This will update automatically on new commits. Configure here.}

[gemini-code-assist]

Summary of Changes

Hello @doublegate, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request primarily focuses on resolving a critical memory safety vulnerability (RUSTSEC-2026-0002) found in the lru crate, a transitive dependency of the iced GUI framework. The fix is implemented by vendoring a patched version of iced_glyphon that uses an updated, secure lru version. Additionally, the PR consolidates and provides clear status updates for several other pending pull requests, strategically deferring a larger iced framework upgrade due to its extensive breaking changes. Minor code quality enhancements and updates to dependency review configurations are also included to maintain project health and security standards.

Highlights

• Critical Security Fix: Addressed RUSTSEC-2026-0002, a soundness vulnerability in the lru crate (transitive dependency via iced_glyphon), by vendoring a patched version of iced_glyphon that updates its lru dependency to 0.16.3.
• Dependency Consolidation: Integrated fixes and clarified the status of three other open pull requests (chore(deps): bump iced from 0.13.1 to 0.14.0 #45, Copilot/fix ansi escape sequence issue #32, docs: Update documentation for Phase 4 Scripting completion #27), deferring a full iced 0.14.0 upgrade due to its extensive breaking changes.
• Dependency Updates: Updated various other crate versions in Cargo.toml and Cargo.lock, including ratatui, clap, serde_json, and tracing related crates, and expanded the allowed license list in the dependency review configuration.
• Code Quality Improvements: Implemented clippy fixes by adding Default derive to PluginCapabilities and #[allow(dead_code)] attributes for reserved fields in ScriptApi.

Ignored Files

• Ignored by pattern: .github/workflows/** (4)
  • .github/workflows/ci.yml
  • .github/workflows/master-pipeline.yml
  • .github/workflows/release.yml
  • .github/workflows/security-audit.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[Copilot]

Pull request overview

This PR applies a critical security fix for RUSTSEC-2026-0002 (lru v0.12.5 vulnerability) by vendoring a patched version of iced_glyphon. It also consolidates changes from PRs #45, #32, and #27, updates dependencies to recent versions, and makes code quality improvements.

Changes:

• Vendors patched iced_glyphon v0.6.0 with lru updated from 0.12.5 to 0.16.3
• Updates workspace dependencies (ratatui 0.30, criterion 0.8.1, clap 4.5.53, tracing 0.1.44, etc.)
• Adds clippy fixes and test coverage for zeroize functionality

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
vendor/iced_glyphon/*	Vendored patched dependency fixing lru security vulnerability
Cargo.toml	Added patch section and updated dependency versions
Cargo.lock	Dependency tree updates reflecting security fix and version bumps
SECURITY-FIX-RUSTSEC-2026-0002.md	Security fix documentation
crates/rustirc-core/src/auth.rs	Added zeroization tests and removed invalid zeroize(skip) attributes
crates/rustirc-tui/src/ui.rs	Ratatui 0.30 compatibility fix
crates/rustirc-plugins/src/api.rs	Derived Default for PluginCapabilities (clippy fix)
crates/rustirc-scripting/src/api.rs	Added dead_code allows for reserved fields
.github/workflows/*	GitHub Actions version updates
.github/dependency-review-config.yml	Enhanced license and package allowlist

[gemini-code-assist]

Code Review

This pull request effectively addresses the RUSTSEC-2026-0002 security vulnerability by vendoring and patching iced_glyphon to use a secure version of the lru crate. The changes are well-documented, both in the new SECURITY-FIX-RUSTSEC-2026-0002.md file and through inline comments. The PR also includes a significant number of dependency updates, which are handled correctly with necessary compatibility fixes. The minor refactorings and code cleanups, such as deriving Default and handling clippy lints, improve overall code quality. I've identified one potential issue regarding an inconsistency between Cargo.toml and Cargo.lock for one of the updated dependencies.

I am having trouble creating individual review comments. Click here to see my feedback.

Cargo.toml (45)

The Cargo.lock file does not appear to have been updated to reflect the change in the open crate's version from 5.0 to 5.3.3. This can lead to inconsistent dependency resolution across different environments and may cause CI failures. Please run cargo check or cargo update -p open and commit the resulting changes to Cargo.lock.