Skip to content

[58_maintenance] Backport cargo audit fixes#10369

Merged
alamb merged 2 commits into
apache:58_maintenancefrom
alamb:alamb/audit_maintenance
Jul 18, 2026
Merged

[58_maintenance] Backport cargo audit fixes#10369
alamb merged 2 commits into
apache:58_maintenancefrom
alamb:alamb/audit_maintenance

Conversation

@alamb

@alamb alamb commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

Which issue does this PR close?

Rationale for this change

Get a clean CI

What changes are included in this PR?

Backport / Cherry-pick:

Are these changes tested?

By CI

Are there any user-facing changes?

No

Jefffrey and others added 2 commits July 18, 2026 06:52
…10267)

## Which issue does this PR close?

N/A

## Rationale for this change

The audit workflow is failing on main:
https://github.com/apache/arrow-rs/actions/runs/28591575622/job/84776210875


```shell
Run cargo audit
    Fetching advisory database from `[https://github.com/RustSec/advisory-db.git`](https://github.com/RustSec/advisory-db.git%60)
      Loaded 1149 security advisories (from /home/runner/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (447 crate dependencies)
Crate:     quick-xml
Version:   0.39.4
Title:     Quadratic run time when checking a start tag for duplicate attribute names
Date:      2026-06-29
ID:        RUSTSEC-2026-0194
URL:       https://rustsec.org/advisories/RUSTSEC-2026-0194
Severity:  7.5 (high)
Solution:  Upgrade to >=0.41.0

Crate:     quick-xml
error: 2 vulnerabilities found!
warning: 1 allowed warning found
Version:   0.39.4
Title:     Unbounded namespace-declaration allocation in `NsReader` enables memory-exhaustion denial of service
Date:      2026-06-29
ID:        RUSTSEC-2026-0195
URL:       https://rustsec.org/advisories/RUSTSEC-2026-0195
Severity:  7.5 (high)
Solution:  Upgrade to >=0.41.0

Crate:     paste
Version:   1.0.15
Warning:   unmaintained
Title:     paste - no longer maintained
Date:      2024-10-07
ID:        RUSTSEC-2024-0436
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0436

Error: Process completed with exit code 1.
```

quick-xml advisories RUSTSEC-2026-0194 and RUSTSEC-2026-0195. quick-xml
is pulled in transitively through object_store, and the released
object_store versions available to arrow-rs do not yet depend on
quick-xml >=0.41.0.

## What changes are included in this PR?

This temporarily ignores the two quick-xml RustSec advisories in the
audit workflow and documents the upstream dependency release needed to
remove the ignore.

## Are there any user-facing changes?

No.

## Validation

Inspected the failing GitHub Actions audit job and verified the
dependency path with cargo tree.
@alamb alamb added the development-process Related to development process of arrow-rs label Jul 18, 2026
@alamb
alamb merged commit c12030f into apache:58_maintenance Jul 18, 2026
32 of 33 checks passed
@alamb
alamb deleted the alamb/audit_maintenance branch July 18, 2026 10:55
alamb added a commit to alamb/arrow-rs that referenced this pull request Jul 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

development-process Related to development process of arrow-rs

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants