fix: upgrade lru crate to 0.16.3 (#8845)

See https://rustsec.org/advisories/RUSTSEC-2026-0002. Though our `ratatui` fork has a transitive dep on an older version of the `lru` crate, so to get CI green ASAP, this PR also adds an exception to `deny.toml` for `RUSTSEC-2026-0002`, but hopefully this will be short-lived.
2026-04-24 22:54:54 +00:00 · 2026-01-07 10:11:27 -08:00
parent fedcb8f63c
commit a1e81180f8
3 changed files with 15 additions and 13 deletions
--- a/codex-rs/deny.toml
+++ b/codex-rs/deny.toml
@@ -73,6 +73,8 @@ ignore = [
    { id = "RUSTSEC-2024-0388", reason = "derivative is unmaintained; pulled in via starlark v0.13.0 used by execpolicy/cli/core; no fixed release yet" },
    { id = "RUSTSEC-2025-0057", reason = "fxhash is unmaintained; pulled in via starlark_map/starlark v0.13.0 used by execpolicy/cli/core; no fixed release yet" },
    { id = "RUSTSEC-2024-0436", reason = "paste is unmaintained; pulled in via ratatui/rmcp/starlark used by tui/execpolicy; no fixed release yet" },
+    # TODO(joshka, nornagon): remove this exception when once we update the ratatui fork to a version that uses lru 0.13+.
+    { id = "RUSTSEC-2026-0002", reason = "lru 0.12.5 is pulled in via ratatui fork; cannot upgrade until the fork is updated" },
 ]
 # If this is true, then cargo deny will use the git executable to fetch advisory database.
 # If this is false, then it uses a built-in git library.