Resolve flagged Rust and npm dependency CVEs

[mgasner]

Summary

• russh 0.60.3 → 0.61.2 in crates/ssh/Cargo.toml, remediating CVE-2026-46705, CVE-2026-48107, CVE-2026-48108. No API drift — blit-ssh builds clean against 0.61.
• Adds pnpm.overrides "js-yaml": ">=4.2.0 <5" in js/pnpm-workspace.yaml, lifting the transitive js-yaml pulled by astro@6.4.8 / @astrojs/internal-helpers past the CVE-2026-53550 cutoff (<=4.1.1). Lockfile now resolves js-yaml 4.2.0.
• Refreshes pnpmDeps.hash in nix/packages.nix to sha256-OdDAEf61IKfbNKowlp4J5VDICuuHntEN/XzsH5wjZw0= to match the new js/pnpm-lock.yaml (otherwise every Nix-built CI job fails with hash mismatch in fixed-output derivation, per /memories/repos/indent-com@blit/conventions/pnpm-deps-nix-hash.md).

Motivation

Security dashboard flagged rust-russh 0.34.0-beta.1..0.61.0 (three CVEs) and npm-js-yaml <=4.1.1 (CVE-2026-53550) as needing remediation.

Testing

• cargo build -p blit-ssh ✓
• cargo check -p blit-proxy ✓ (other ssh-consuming crates exercise the russh 0.61 API)
• cargo test -p blit-ssh ✓ (no tests, but compiles)
• cd js/website && pnpm exec astro check ✓ (28 files, 0 errors)
• nix build .#pnpmDeps ✓ — verified the hash before committing.

js-yaml: why 4.2.0 instead of 5.x

I first tried js-yaml: ">=5.1.0" (5.x is the long-term target per the user's framing of "upgrade to 5.x in both repos"). It immediately broke Astro:

SyntaxError: The requested module 'js-yaml' does not provide an export named 'default'
   at .../@astrojs/internal-helpers/dist/frontmatter.js:1
   import yaml from "js-yaml";

js-yaml 5.0 dropped the default export. @astrojs/internal-helpers@0.10.0 (transitive under astro@6.4.8) still does import yaml from "js-yaml", so 5.x is blocked until Astro adopts the named-only API. 4.2.0 is the immediate patched release inside the 4.x line and is enough to clear CVE-2026-53550 (<=4.1.1).

Tag @indent to continue the conversation here.

[github-actions]

Coverage

Crate	Lines	Functions	Regions
alacritty-driver	63.7% (626/982)	67.1% (49/73)	64.3% (919/1429)
browser	0.0% (0/807)	0.0% (0/65)	0.0% (0/1370)
cli	28.1% (1208/4299)	41.3% (171/414)	31.1% (2182/7019)
compositor	1.0% (93/9234)	2.0% (8/400)	1.2% (146/12408)
fonts	76.8% (486/633)	85.5% (47/55)	77.9% (922/1183)
gateway	25.7% (362/1411)	29.0% (36/124)	19.4% (449/2318)
proxy	18.3% (150/818)	20.9% (24/115)	20.4% (260/1277)
remote	71.5% (1975/2763)	81.4% (188/231)	74.1% (3737/5045)
sd-notify	73.9% (68/92)	100.0% (6/6)	83.2% (109/131)
server	18.7% (2186/11701)	33.6% (251/748)	20.1% (3660/18180)
ssh	1.9% (7/374)	3.2% (1/31)	0.7% (4/613)
webrtc-forwarder	2.7% (72/2624)	2.1% (4/187)	1.2% (50/4335)
webserver	63.5% (753/1185)	70.8% (121/171)	67.8% (1380/2034)
Total	21.6% (7986/36923)	34.6% (906/2620)	24.1% (13818/57342)