From 6ce63192fd43d14feff97962d33c6096b818c225 Mon Sep 17 00:00:00 2001
From: platinummonkey <cody.lee@datadoghq.com>
Date: Tue, 17 Mar 2026 19:04:49 -0600
Subject: [PATCH] fix(deps): upgrade yamux to v0.13.10 (CVE-2026-32314)

Resolves Dependabot alert #4 (GHSA-vxx9-2994-q338).

yamux < 0.13.10 can panic when processing a crafted inbound Data frame
with SYN set and body length > DEFAULT_CREDIT (262145). The panic is
remotely reachable without authentication.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---
 Cargo.lock | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 2a5a1371..af859574 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -4607,9 +4607,9 @@ checksum = "9edde0db4769d2dc68579893f2306b26c6ecfbe0ef499b013d731b7b9247e0b9"
 
 [[package]]
 name = "yamux"
-version = "0.13.9"
+version = "0.13.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c650efd29044140aa63caaf80129996a9e2659a2ab7045a7e061807d02fc8549"
+checksum = "1991f6690292030e31b0144d73f5e8368936c58e45e7068254f7138b23b00672"
 dependencies = [
  "futures",
  "log",