From e7f6d94dd0fb2de46dacffb50bf94b88fc6bc967 Mon Sep 17 00:00:00 2001
From: chengwenxi <22697326+chengwenxi@users.noreply.github.com>
Date: Tue, 17 Mar 2026 10:12:27 +0800
Subject: [PATCH] fix(deps): bump lz4_flex to 0.11.6 to fix uninitialized
 memory leak (GHSA-vvp9-7p8x-rfvv)

Dependabot alert #10: lz4_flex < 0.11.6 can leak uninitialized or stale
memory when decompressing invalid LZ4 data via block-based APIs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 Cargo.lock | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 6764435..54ad644 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -4477,9 +4477,9 @@ dependencies = [
 
 [[package]]
 name = "lz4_flex"
-version = "0.11.5"
+version = "0.11.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "08ab2867e3eeeca90e844d1940eab391c9dc5228783db2ed999acbc0a9ed375a"
+checksum = "373f5eceeeab7925e0c1098212f2fbc4d416adec9d35051a6ab251e824c1854a"
 
 [[package]]
 name = "mach2"