diff --git a/THIRDPARTY-LICENSES.html b/THIRDPARTY-LICENSES.html
index 73b982c9..2f64361d 100644
--- a/THIRDPARTY-LICENSES.html
+++ b/THIRDPARTY-LICENSES.html
@@ -44,7 +44,7 @@
Overview of licenses:
Apache License
Version 2.0, January 2004
@@ -1988,7 +1988,7 @@ limitations under the License.
Apache License 2.0
Used by:
Apache License
Version 2.0, January 2004
@@ -2617,11 +2617,11 @@ limitations under the License.
arrayvec 0.7.6
async-compression 0.4.42
atomic-waker 1.1.2
- autocfg 1.5.0
- bitflags 2.11.1
+ autocfg 1.5.1
+ bitflags 2.12.1
bstr 1.12.1
cast 0.3.0
- cc 1.2.62
+ cc 1.2.63
cfg-if 1.0.4
compression-codecs 0.4.38
compression-core 0.4.32
@@ -2632,7 +2632,7 @@ limitations under the License.
crossbeam-deque 0.8.6
crossbeam-epoch 0.9.18
crossbeam-utils 0.8.21
- either 1.15.0
+ either 1.16.0
equivalent 1.0.2
errno 0.3.14
fastrand 2.4.1
@@ -2649,10 +2649,11 @@ limitations under the License.
httparse 1.10.1
indexmap 2.14.0
itertools 0.13.0
+ itertools 0.14.0
lazy_static 1.5.0
linux-raw-sys 0.12.1
lock_api 0.4.14
- log 0.4.29
+ log 0.4.32
mime 0.3.17
num-traits 0.2.19
num_cpus 1.17.0
@@ -2673,12 +2674,12 @@ limitations under the License.
scopeguard 1.2.0
signal-hook-registry 1.4.8
smallvec 1.15.1
- socket2 0.6.3
+ socket2 0.6.4
tempfile 3.27.0
thread_local 1.1.9
tinytemplate 1.2.1
unicode-width 0.2.2
- uuid 1.23.1
+ uuid 1.23.2
wait-timeout 0.2.1
Apache License
@@ -2888,7 +2889,7 @@ limitations under the License.
Apache License 2.0
Used by:
Apache License
Version 2.0, January 2004
@@ -4138,7 +4139,7 @@ limitations under the License.
half 2.7.1
itoa 1.0.18
libc 0.2.186
- num-conv 0.2.1
+ num-conv 0.2.2
pin-project-lite 0.2.17
portable-atomic 1.13.1
proc-macro2 1.0.106
@@ -4149,10 +4150,10 @@ limitations under the License.
serde 1.0.228
serde_core 1.0.228
serde_derive 1.0.228
- serde_json 1.0.149
+ serde_json 1.0.150
serde_path_to_error 0.1.20
serde_urlencoded 0.7.1
- shlex 1.3.0
+ shlex 2.0.1
siphasher 1.0.3
syn 2.0.117
sync_wrapper 1.0.2
@@ -4242,7 +4243,7 @@ limitations under the License.
Apache License 2.0
Used by:
Rust-chrono is dual-licensed under The MIT License [1] and
Apache 2.0 License [2]. Copyright (c) 2014--2026, Kang Seonghoon and
@@ -4795,7 +4796,7 @@ The GNU General Public License does not permit incorporating your program into p
MIT License
Used by:
Copyright (c) 2014 Carl Lerche and other MIO contributors
@@ -4877,7 +4878,7 @@ IN THE SOFTWARE.
MIT License
Used by:
Copyright (c) 2014-2026 Sean McArthur
@@ -5163,7 +5164,7 @@ DEALINGS IN THE SOFTWARE.
MIT License
Used by:
Copyright (c) 2019-2021 Tower Contributors
@@ -5346,7 +5347,7 @@ SOFTWARE.
MIT License
Used by:
MIT License
@@ -5621,7 +5622,7 @@ DEALINGS IN THE SOFTWARE.
MIT License
Used by:
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
@@ -5711,8 +5712,8 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
The MIT License (MIT)
@@ -5923,7 +5924,7 @@ SOFTWARE.
Used by:
The MIT License (MIT)
diff --git a/src/commands/scan.rs b/src/commands/scan.rs
index c2d6ebd3..8d91ac86 100644
--- a/src/commands/scan.rs
+++ b/src/commands/scan.rs
@@ -355,6 +355,7 @@ pub fn format_dynamic_verification_summary(summary: &DynamicVerificationSummary)
/// composite-chain re-verification can reuse preloaded summaries and callgraph
/// context.
#[cfg(feature = "dynamic")]
+#[allow(clippy::too_many_arguments)]
pub(crate) fn verify_findings_for_scan(
diags: &mut [Diag],
project_name: &str,
diff --git a/src/surface/build.rs b/src/surface/build.rs
index e57f911f..c23c7832 100644
--- a/src/surface/build.rs
+++ b/src/surface/build.rs
@@ -3,15 +3,15 @@
//! Phase 22 dispatch:
//!
//! 1. Per-file framework probes (one parser per language) emit
-//! [`SurfaceNode::EntryPoint`](crate::surface::SurfaceNode::EntryPoint) nodes for every recognised route /
+//! [`SurfaceNode::EntryPoint`] nodes for every recognised route /
//! handler.
//! 2. [`super::datastore::detect_data_stores`] walks
-//! [`GlobalSummaries`] and emits [`SurfaceNode::DataStore`](crate::surface::SurfaceNode::DataStore) nodes
+//! [`GlobalSummaries`] and emits [`SurfaceNode::DataStore`] nodes
//! for every recognised driver call.
//! 3. [`super::external::detect_external_services`] walks summaries +
-//! SSRF caps and emits [`SurfaceNode::ExternalService`](crate::surface::SurfaceNode::ExternalService) nodes.
+//! SSRF caps and emits [`SurfaceNode::ExternalService`] nodes.
//! 4. [`super::dangerous::detect_dangerous_locals`] walks summaries
-//! and emits [`SurfaceNode::DangerousLocal`](crate::surface::SurfaceNode::DangerousLocal) nodes for every
+//! and emits [`SurfaceNode::DangerousLocal`] nodes for every
//! function whose `sink_caps` include a local-sink class (code-exec,
//! deserialize, SSTI, format-string, LDAP / XPath / header /
//! open-redirect injection, XXE, prototype pollution), located at the
diff --git a/src/surface/exposure.rs b/src/surface/exposure.rs
index a3031834..10c85c0a 100644
--- a/src/surface/exposure.rs
+++ b/src/surface/exposure.rs
@@ -3,7 +3,7 @@
//!
//! This is the bridge that makes the attack surface participate in the
//! core finding pipeline instead of living off to the side in `nyx
-//! surface`: every [`Diag`](crate::commands::scan::Diag) gets an
+//! surface`: every [`Diag`] gets an
//! optional [`Exposure`] annotation describing the *worst-case* route
//! that reaches it (unauthenticated preferred over auth-gated, direct
//! file match preferred over transitive call-graph reach), and the
@@ -11,7 +11,7 @@
//! reachable findings sort above internal ones.
//!
//! Matching granularity is file-level, same as the chain composer's
-//! [`Reach`](crate::chain::Reach): a finding in `views.py` is exposed
+//! [`Reach`](crate::chain::edges::Reach): a finding in `views.py` is exposed
//! when an entry-point's handler lives in `views.py`, or — when a
//! [`FileReachMap`] is supplied — when some handler's file transitively
//! reaches `views.py` through the call graph.