security(deps): remove vulnerable xmas-elf dependency via embuild (fixes #399)

Removes the unused "elf" feature from the embuild dependency in firmware/zeroclaw-esp32/Cargo.toml. Vulnerability Details: - Advisory: GHSA-9cc5-2pq7-hfj8 - Package: xmas-elf < 0.10.0 - Severity: Moderate (insufficient bounds checks in HashTable access) Root Cause: - The embuild dependency (version < 0.33) relies on xmas-elf ~0.9.1 - The "elf" feature was enabled but not actually used Fix: - Removed features = ["elf"] from embuild dependency - The build.rs only uses embuild::espidf::sysenv, which doesn't require elf - xmas-elf dependency is now completely eliminated from Cargo.lock Verification: - cargo build passes successfully - grep "xmas-elf" firmware/zeroclaw-esp32/Cargo.lock confirms removal Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-17 03:00:03 -05:00 · 2026-02-17 03:00:03 -05:00 · ccc48824cf
commit ccc48824cf
parent f75f73a50d
2 changed files with 1 additions and 17 deletions
--- a/firmware/zeroclaw-esp32/Cargo.toml
+++ b/firmware/zeroclaw-esp32/Cargo.toml
@ -22,7 +22,7 @@ serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"

 [build-dependencies]
-embuild = { version = "0.31", features = ["elf"] }
+embuild = "0.31"

 [profile.release]
 opt-level = "s"