Skip to content

fix: update cargo-deny advisory ignore list#4330

Closed
bistack wants to merge 2 commits into
Hmbown:mainfrom
bistack:fix/cargo-deny-advisories
Closed

fix: update cargo-deny advisory ignore list#4330
bistack wants to merge 2 commits into
Hmbown:mainfrom
bistack:fix/cargo-deny-advisories

Conversation

@bistack

@bistack bistack commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Summary

Update cargo-deny advisory ignore list:

Context

Both and are transitive dependencies via , which is used by . No safe upgrade path exists for these crates.

bistack added 2 commits July 10, 2026 11:05
Add security audit infrastructure using RustSec advisory database:

- .github/workflows/security-audit.yml: runs cargo-audit to scan
  Cargo.lock for known vulnerabilities (non-blocking)
- .github/workflows/cargo-deny.yml: checks advisories, dependency
  bans, licenses, and sources
- audit.toml: cargo-audit configuration
- deny.toml: cargo-deny configuration with allowed licenses
- README.md: add Security audit and cargo-deny status badges
- Remove RUSTSEC-2026-0187 (lopdf fixed in PR Hmbown#4328)
- Add RUSTSEC-2024-0388 (derivative unmaintained, transitive via starlark)
- Add RUSTSEC-2025-0057 (fxhash unmaintained, transitive via starlark)
@bistack bistack requested a review from Hmbown as a code owner July 10, 2026 03:10
@github-actions

Copy link
Copy Markdown

Thanks @bistack for taking the time to contribute.

This repository is observing a maintainer-managed PR intake gate in dry-run mode, so this pull request is staying open. This note helps maintainers prepare the allowlist before any enforcement is considered.

Please read CONTRIBUTING.md for the expected contribution shape. A maintainer can grant recurring PR access by commenting /lgtm on a pull request.

@bistack bistack closed this Jul 10, 2026
@bistack bistack deleted the fix/cargo-deny-advisories branch July 10, 2026 03:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant