fix(security): remediate 8 Dependabot advisories (rustls-webpki, rand, aws-lc-sys)

[doublegate]

Summary

Remediates all 8 open Dependabot alerts on main (3 high, 1 moderate, 4 low). All are transitive dependencies; the security fix is confined to Cargo.lock — no manifest constraint changes were needed (every bump is within the existing semver-compatible ranges).

A second, prerequisite commit fixes a pre-existing clippy::collapsible_match lint that current stable clippy (1.96.0, which CI pulls via dtolnay/rust-toolchain@stable) flags in router.rs — without it the CI clippy gate (-D warnings) would block this PR from going green. That fix is behavior-preserving (see below).

Advisories resolved

Package	From → To	Advisories	Severity
rustls-webpki	0.103.9 → 0.103.13	GHSA-82j2-j2ch-gfr8, GHSA-pwjx-qhcg-rvj4, GHSA-965h-392x-2mh5, GHSA-xgp8-3hg3-c2mh	high, medium, low, low
aws-lc-sys	0.38.0 → 0.41.0	GHSA-9f94-5g5w-gf6r, GHSA-394x-vwmw-crm3	high, high
rand	0.8.5 → 0.8.6 / 0.9.2 → 0.9.3	GHSA-cq8v-f236-94qc (both major lines)	low

aws-lc-sys 0.38 → patched line required bumping its parent aws-lc-rs 1.16.1 → 1.17.0 (the only change beyond the four target packages), since aws-lc-rs 1.16.1 pinned aws-lc-sys ^0.38 and excluded the patched 0.39+ line.

Commits

1. fix(core) — hoist the TOPIC handler's params.len() >= 2 check into a match guard ("TOPIC" if … =>). A short TOPIC message previously fell through the inner if as a no-op; it now fails the guard and falls through to the existing _ => {} arm — identical no-op, no behavior change.
2. build(deps) — the Cargo.lock advisory bumps above.

Verification (local, rust 1.96.0)

• cargo build --workspace: 0 errors
• cargo clippy --all-targets --all-features -- -D warnings: clean
• cargo test --workspace: 266 passed (18 suites)
• No old vulnerable versions remain in Cargo.lock

🤖 Generated with Claude Code

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
cargo/aws-lc-rs	1.17.0	Unknown	Unknown
cargo/aws-lc-sys	0.41.0	Unknown	Unknown
cargo/rand	0.8.6	🟢 6.3	Details Check Score Reason Maintained 🟢 10 21 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/rand	0.9.3	🟢 6.3	Details Check Score Reason Maintained 🟢 10 21 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/rustls-webpki	0.103.13	Unknown	Unknown

Scanned Files

• Cargo.lock

[gemini-code-assist]

Code Review

This pull request updates several dependencies in Cargo.lock, including aws-lc-rs, aws-lc-sys, rand, and rustls-webpki. Additionally, it refactors the "TOPIC" message handling in crates/rustirc-core/src/router.rs to use a match guard instead of an inner if condition, simplifying the nesting structure. There are no review comments, and I have no additional feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[Copilot]

Pull request overview

This PR remediates Dependabot security advisories by updating vulnerable transitive Rust dependencies via Cargo.lock, and includes a small, behavior-preserving refactor in the core message router to satisfy clippy::collapsible_match under current stable Clippy.

Changes:

• Refactor TOPIC message handling in ChannelHandler to use a match guard instead of an inner if (no-op behavior preserved for short TOPIC messages).
• Update Cargo.lock to bump rustls-webpki, aws-lc-sys (and required aws-lc-rs), and both rand major lines to patched versions addressing advisories.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
crates/rustirc-core/src/router.rs	Uses a match guard for TOPIC handling to satisfy Clippy without changing runtime behavior.
Cargo.lock	Updates transitive dependency versions to patched releases that resolve 8 Dependabot alerts.