fix(deps): update dependency rust to v1.94.1

[renovate]

This PR contains the following updates:

Package	Update	Change	Pending
rust	patch	1.94.0 → 1.94.1	1.95.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

rust-lang/rust (rust)

v1.94.1

Compare Source

===========================

• Fix std::thread::spawn on wasm32-wasip1-threads
• Remove new methods added to std::os::windows::fs::OpenOptionsExt
  The new methods were unstable, but the trait itself is not sealed and so
  cannot be extended with non-default methods.
• Clippy: fix ICE in match_same_arms
• Cargo: update tar to 0.4.45
  This resolves CVE-2026-33055 and CVE-2026-33056. Users of crates.io are not affected.
  See blog for more details.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Rust 1.94.1 is a patch release published on March 26, 2026, that addresses regressions and security vulnerabilities introduced in Rust 1.94.0. The changes include:

Compiler and Standard Library:

• Fix std::thread::spawn on wasm32-wasip1-threads (not relevant to this project)
• Remove new methods added to std::os::windows::fs::OpenOptionsExt (Windows-specific, not relevant)

Security Fixes (Cargo):

• Update tar to 0.4.45, resolving CVE-2026-33055 and CVE-2026-33056
  • CVE-2026-33056: A flaw in the third-party tar crate that allows a malicious crate to change permissions on arbitrary directories during package extraction
  • crates.io implemented preventive measures on March 13, 2026
  • Complete audit confirmed no exploited crates exist on the public registry

Clippy:

• Fix ICE (Internal Compiler Error) in match_same_arms

Other:

• Downgrade curl-sys to 0.4.83 to fix certificate validation error on some FreeBSD versions

Breaking Changes: None

🎯 Impact Scope Investigation

Files Changed:

1. Dockerfile (line 70): ARG RUST_VERSION=1.94.0 → 1.94.1
2. internal/sandbox/runtime.go (line 472): RUSTUP_TOOLCHAIN=1.94.0 → 1.94.1

Usage Pattern Analysis:

• The sandbox service uses rustc directly for compilation, not cargo build
• Rust runtime configuration at internal/sandbox/runtime.go:456-474:
  • CompileCommand uses /mise/cargo/bin/rustc with --edition 2024 flag
  • No Cargo.toml or package management operations
  • Only compiles standalone .rs files provided by users

CVE Impact Assessment:

• CVE-2026-33056 affects Cargo's package extraction from registries (crates.io)
• This sandbox does not use Cargo for package management or download crates
• The vulnerability is NOT exploitable in this context

Test Coverage:

• Extensive E2E test suite exists at e2e/tests/runtime/rust.yml with 15 test cases
• Tests cover: hello world, compile errors, stderr output, multi-file compilation, panics, standard library usage, traits, error handling, closures, threading
• All tests use the standard library only, no external dependencies

Dependency Analysis:

• No other packages depend on the specific Rust version
• Rust runtime is isolated and managed via mise

💡 Recommended Actions

1. Merge immediately - This is a safe patch update with security fixes
2. Run E2E tests after merge to verify compatibility:

   docker compose down && docker compose up --build -d
   go test -tags e2e ./e2e/...

3. No code changes required - The update is fully backward compatible
4. No migration work needed - Version string updates are automated by Renovate

🔗 Reference Links

• Announcing Rust 1.94.1 | Rust Blog
• 1.94.1 | Rust Changelogs
• Rust Release Notes
• CVE-2026-33056 Security Advisory

Generated by koki-develop/claude-renovate-review