Security: lru 0.12.5 dependency has Stacked Borrows violation (GHSA-xpfx-fvgv-hgqp)

[michaeloboyle]

Summary

The ruvllm crate (v2.0.1) depends on lru 0.12.5, which has a known security advisory:

• Advisory: GHSA-xpfx-fvgv-hgqp
• Severity: LOW (Cargo audit) / Moderate (GitHub)
• Issue: IterMut Stacked Borrows violation — unsound use of unsafe code in lru::IterMut
• Fixed in: lru >= 0.13.0

Reproduction

$ cargo audit
Crate:  lru
Version: 0.12.5
Warning: unsound
ID:     RUSTSEC-2024-0404

Impact

Downstream consumers of ruvllm (e.g. ruvllm-enrichment) inherit this transitive dependency and cannot override it via [patch.crates-io] since lru is published on the same registry source.

Requested Fix

Update the lru dependency in ruvllm from 0.12.x to 0.16.3 (or latest). Note that 0.12 → 0.13+ is a semver-breaking change for 0.x crates, so this requires a version bump.

Environment

• ruvllm: 2.0.1
• lru: 0.12.5 (transitive)
• Rust: stable

[ruvnet]

Fix Applied in PR #172 (merged)

Bumped lru from 0.12 to 0.16 in all 3 affected crates:

• ruvector-graph (Cargo.toml)
• ruvector-cli (Cargo.toml)
• ruvLLM (examples/ruvLLM/Cargo.toml)

All call sites already used NonZeroUsize::new() for LruCache::new(), so the 0.12→0.16 API change was already compatible. Both cargo check -p ruvector-graph and cargo check -p ruvector-cli pass cleanly.

$ cargo audit
# lru 0.16 — no known advisories

Version: workspace 2.0.3 | PR: #172

[ruvnet]

Fixed in workspace v2.0.3 (PR #172). lru bumped to 0.16 in all affected crates.