fix: a few RUSTSEC(s)

[hanabi1224]

Summary of changes

Changes introduced in this pull request:

• fix RUSTSEC-2023-0071 by switching jsonwebtoken backend from rust_crypto to aws_lc_rs
• remove a few stale RUSTSECs
• fix license list
• cargo update

Reference issue to close (if applicable)

Closes

Other information and links

Change checklist

• I have performed a self-review of my own code,
• I have made corresponding changes to the documentation. All new code adheres to the team's documentation standards,
• I have added tests that prove my fix is effective or that my feature works (if possible),
• I have made sure the CHANGELOG is up-to-date. All user-facing changes should be reflected in this document.

Summary by CodeRabbit

• Chores
  • Updated cryptographic library dependency backend for enhanced security.
  • Refined security advisory and license compliance configurations.

[coderabbitai]

Walkthrough

Dependency configuration updates: jsonwebtoken feature set switched from rust_crypto to aws_lc_rs in Cargo.toml. Multiple RUSTSEC advisory exemptions removed from deny.toml, and OpenSSL license identifier added to approved licenses list.

Changes

Cohort / File(s)	Summary
Dependency Feature Update Cargo.toml	Changed jsonwebtoken dependency feature from rust_crypto to aws_lc_rs
Security Advisory & License Management deny.toml	Removed multiple RUSTSEC entries from advisories ignore list; added OpenSSL to licenses allow list

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Verify the jsonwebtoken feature switch is compatible with project requirements
• Confirm removed RUSTSEC advisories are no longer applicable or have been addressed
• Ensure OpenSSL license addition aligns with project licensing policies

Possibly related PRs

• chore: suppress RUSTSEC-2025-0046 #5852: Modifies deny.toml advisories ignore list by adding RUSTSEC-2025-0046
• fix: ignore a few RUSTSECs #6180: Modifies deny.toml advisory ignore list with multiple RUSTSEC entries

Suggested labels

dependencies, rust

Suggested reviewers

• akaladarshi
• elmattic
• sudo-shashank

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: a few RUSTSEC(s)' accurately reflects the main objective of fixing multiple RUSTSEC advisories and addressing security issues in the codebase.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch hm/fix-RUSTSECS

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 21cc6c6 and c2eea0b.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• Cargo.toml (1 hunks)
• deny.toml (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 5867
File: src/ipld/util.rs:553-558
Timestamp: 2025-08-08T12:10:45.218Z
Learning: Forest pins Rust toolchain to 1.89.0 via rust-toolchain.toml; features stabilized in 1.88 (e.g., let-chains) are acceptable in this codebase.

Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 5930
File: build.rs:64-77
Timestamp: 2025-08-13T09:43:20.301Z
Learning: hanabi1224 prefers hard compile-time errors in build scripts rather than runtime safeguards or collision detection, believing it's better to fail fast and fix root causes of issues like malformed snapshot names.

Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 6057
File: src/cli/subcommands/f3_cmd.rs:0-0
Timestamp: 2025-09-09T10:37:17.947Z
Learning: hanabi1224 prefers having default timeouts (like 10m for --no-progress-timeout) to prevent commands from hanging indefinitely, even when the timeout flag isn't explicitly provided by users. This fail-fast approach is preferred over requiring explicit flag usage.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: tests
• GitHub Check: tests-release
• GitHub Check: Build forest binaries on Linux AMD64
• GitHub Check: cargo-publish-dry-run
• GitHub Check: Build Ubuntu
• GitHub Check: Build MacOS
• GitHub Check: All lint checks

🔇 Additional comments (3)

Cargo.toml (1)

118-118: Backend cryptography switch is correct and addresses the security vulnerability.

The change from rust_crypto to aws_lc_rs is the correct approach for jsonwebtoken 10.0.0, which requires exactly one of these two crypto backends. This targeted change fixes RUSTSEC-2023-0071 without version bumping or unnecessary modifications.

deny.toml (2)

2-9: Advisory removals align with PR objectives.

The three remaining entries all have documented justifications. Since jsonwebtoken 10.0.0 supports aws_lc_rs as a crypto backend option, the removal of RUSTSEC-2023-0071 from the ignore list is appropriate—the vulnerability is being addressed rather than ignored via feature selection. The other retained entries (parity-wasm, paste, wasmtime) are properly documented as unmaintained or FVM-dependent issues.

---

20-20: OpenSSL license is appropriate for the aws_lc_rs backend.

Adding "OpenSSL" to the allow list is consistent with the jsonwebtoken backend change, as aws_lc_rs depends on OpenSSL for cryptographic operations. This aligns with the existing "ring" clarification on line 49, which already lists OpenSSL in its expression.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}