chore(deps): bump lz4_flex from 0.12.0 to 0.12.1 in the cargo group across 1 directory

[dependabot]

Bumps the cargo group with 1 update in the / directory: lz4_flex.

Updates lz4_flex from 0.12.0 to 0.12.1

Changelog

Sourced from lz4_flex's changelog.

0.12.1 (2026-03-14)

Security Fix

• Fix handling of invalid match offsets during decompression #a0b9154 (thanks @​Marcono1234)

Invalid match offsets (offset == 0) during decompression were not properly
handled, which could lead to invalid memory reads on untrusted input.
Users on 0.12.x should upgrade to 0.12.1.

Commits

• fa48c98 bump version to 0.12.1
• a0b9154 fix handling of invalid match offsets during decompression
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Labels

The following labels could not be found: dependencies, rust. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[claude]

Claude finished @dependabot[bot]'s task —— View job

---

PR Review: lz4_flex Security Update

I've completed my analysis of this security dependency update for lz4_flex from 0.12.0 to 0.12.1.

Tasks

• Analyze changed files and dependency version bump
• Review security implications of the fix
• Check lz4_flex usage across codebase
• Assess impact on code quality and performance
• Provide comprehensive review feedback

Analysis Summary

✅ APPROVE - This is a critical security update that should be merged immediately.

Security Review

🔴 Critical Security Fix: This update addresses a high-severity security vulnerability in lz4_flex 0.12.x:

• Issue: Invalid match offsets (offset == 0) during decompression were not properly handled
• Impact: Could lead to invalid memory reads on untrusted input
• CVE: This appears to be a memory safety issue that could potentially be exploited
• Urgency: The changelog explicitly states "Users on 0.12.x should upgrade to 0.12.1"

Technical Analysis

Dependency Usage:

• lz4_flex is used indirectly via reth-nippy-jar (line 4834 in Cargo.lock:4834)
• nippy-jar appears to be reth's compression/archiving system for static file storage
• Used alongside bincode, memmap2, and zstd for data serialization and compression

Attack Surface:

• Primary concern is if compressed data from external sources (P2P network, RPC requests, or file imports) is processed
• Since this is used in static file storage, maliciously crafted compressed data could trigger the vulnerability
• Blockchain data ingestion could potentially include compressed payloads

Code Quality & Performance

✅ Positive Aspects:

• Minimal, focused security patch (only version bump)
• No breaking changes - purely bug fix release
• Also includes beneficial tracing-subscriber updates (0.3.20 → 0.3.23)

No Performance Impact:

• This is a security fix, not a performance optimization
• Should maintain existing compression performance characteristics

Recommendations

1. ✅ Merge Immediately: This addresses a critical memory safety vulnerability
2. ✅ Security Priority: The fix prevents potential memory corruption from malformed input
3. ✅ Testing: The existing test suite should be sufficient as this is a drop-in security fix
4. ⚠️ Post-Merge: Consider reviewing any code paths that process external compressed data for additional hardening

Missing Labels Notice

The dependabot comment mentions missing labels dependencies and rust - consider adding these to your repository configuration for better PR categorization.

---

Overall Assessment: Strong approval for immediate merge. This is exactly the type of security update that should be fast-tracked.