fix: upgrade gix-validate to 0.11.1 (GHSA-p3hw-mv63-rf9w)

[orbisai0security]

Summary

Upgrade gix-validate from 0.10.1 to 0.11.1 to fix GHSA-p3hw-mv63-rf9w.

Vulnerability

Field	Value
ID	GHSA-p3hw-mv63-rf9w
Severity	HIGH
Scanner	trivy
Rule	GHSA-p3hw-mv63-rf9w
File	Cargo.lock
Assessment	Likely exploitable

Description: gix's submodule name validation bypass + trust inheritance flaw enables path traversal and credential disclosure

Evidence

Scanner confirmation: trivy rule GHSA-p3hw-mv63-rf9w flagged this pattern.

Production code: This file is in the production codebase, not test-only code.

Changes

• Cargo.lock

Verification

• Build passes
• Scanner re-scan confirms fix
• LLM code review passed

---

This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation.

---

Automated security fix by OrbisAI Security

[cursor]

PR Summary

Low Risk
Lockfile-only security patch with no direct code edits; main review point is that git/submodule validation behavior changes with the patched crate.

Overview
Bumps gix-validate in Cargo.lock from 0.10.1 to 0.11.1 to address GHSA-p3hw-mv63-rf9w (submodule name validation bypass that could enable path traversal and credential disclosure).

That crate is pulled in through gix-path and gix-url, which sit on git/URL handling paths in the dependency tree. The visible lockfile delta may also include small transitive adjustments (e.g. data-encoding-macro-internal pinning an older syn).

No application source changes—dependency resolution only.

^{Reviewed by Cursor Bugbot for commit 73b6f82. Bugbot is set up for automated code reviews on this repo. Configure here.}