-
Notifications
You must be signed in to change notification settings - Fork 104
Security and Dependencies
Tier: Advanced
qsv has a large dependency tree (~1,000 crates with all_features). To keep it
healthy, qsv runs an automated security audit every day and deals with findings
in one of two ways: patch the dependency at the source (via a fork) when qsv
can fix it, or record a vetted ignore when the finding is a transitive
dependency qsv cannot upgrade directly.
To report a vulnerability, see the repo's SECURITY.md.
The security-audit.yml
GitHub Action runs cargo audit
(via rustsec/audit-check) on a schedule, checking Cargo.lock against the
RustSec Advisory Database. New advisories are filed as
issues automatically.
cargo audit reads its configuration from
.cargo/audit.toml,
which holds the vetted ignore list described below. The same file applies when
you run cargo audit locally.
When the affected crate is one qsv can fix — or it's only a few lines away from
dropping the bad dependency — qsv maintains a patched fork and wires it in via
[patch.crates-io] in Cargo.toml.
This removes the advisory at the source rather than suppressing it.
Forks qsv currently patches in:
| Crate(s) | Fork / source | Why |
|---|---|---|
csv, csv-core, csv-index
|
dathere/rust-csv (qsv-tuned) |
Performance tuning — see Tuned csv Fork Benchmarks |
sled |
dathere/sled (v0.34.7-drop-fxhash) |
Drops unmaintained instant (RUSTSEC-2024-0384) and unmaintained fxhash (RUSTSEC-2025-0057, replaced with rustc-hash) |
object_store |
kdn36/arrow-rs-object-store (feat_with_dns_resolver) |
Adds the with_dns_resolver method polars-io requires |
csvlens |
YS-L/csvlens (pinned rev 6acf060) |
Track upstream rev ahead of a crates.io release |
csvs_convert |
jqnatividad/csvs_convert |
Bump dependencies until upstream PR merges |
whatlang |
jqnatividad/whatlang-rs |
Bump hashbrown until upstream PR merges |
calamine |
tafia/calamine (pinned rev 058cb50) |
Track upstream rev ahead of a crates.io release |
plotly |
dathere/plotly (pinned rev 8d56b22) |
viz charting fixes ahead of an upstream release |
spreadsheet-ods |
jqnatividad/spreadsheet-ods (deps-bump-202607) |
Bump dependencies until upstream PR merges |
polars |
pola-rs/polars (pinned tag/rev) |
Track latest upstream fixes ahead of crates.io releases |
Note:
[patch.crates-io]forks are stripped oncargo publish, so they only apply to git-checkout builds (CI, local dev, the release workflows).cargo install qsvfrom crates.io is not currently supported.
Some advisories are "unmaintained" notices (not vulnerabilities) for crates
that arrive deep in the tree through dependencies qsv does not control. When qsv
cannot upgrade or fork its way out, the advisory is recorded in
.cargo/audit.toml with a comment documenting the dependency chain and the
upstream that must update before the entry can be removed. The list is
re-evaluated periodically and pruned as upstreams migrate.
Current ignores:
| Advisory | Crate | Reaches qsv via | Notes |
|---|---|---|---|
| RUSTSEC-2026-0173 | proc-macro-error2 |
jaq → jiff → defmt (optional) → defmt-macros
|
jiff's defmt feature is never enabled, so it's in Cargo.lock but never compiled or linked (#4072) |
| RUSTSEC-2025-0141 | bincode |
polars → polars-utils
|
Clears when polars updates |
| RUSTSEC-2024-0436 | paste |
tikv-jemalloc-ctl |
Clears when tikv-jemalloc-ctl updates |
| RUSTSEC-2025-0134 | rustls-pemfile |
plotly → plotly_static → webdriver-downloader → reqwest 0.11
|
Clears when plotly's deps move to reqwest 0.12
|
cargo install cargo-audit
cargo audit # honors .cargo/audit.tomlTo see what a given ignored advisory actually pulls in:
cargo tree -i <crate> --target all --all-featuresqsv — GitHub · Releases · Discussions · qsv pro · Try it online · Benchmarks · datHere · DeepWiki · Dual-licensed MIT / Unlicense
Edit this page: Contributing to the Wiki
Home · Why qsv? · Tier legend
- All Commands (index)
- Selection & Inspection
- Transform & Reshape
- Aggregation & Statistics
- Joins & Set Ops
- SQL & Polars
- Validation & Schema
- Metadata Profiling (profile)
- Conversion & I/O
- Geospatial
- Visualization (viz)
- HTTP & Web
- Get & Disk Cache
- Scripting (Luau / Python)
- Indexing, Compression & Diff
- AI & Documentation
- Recipes index
- Inspect an Unknown CSV
- Clean & Normalize
- Geographic Enrichment
- Date Enrichment
- CKAN Integration
- JSON Schema Validation
- Build a Data Pipeline
- Stats → Insights
- Fetch & Cache
- Larger-than-RAM CSV
- Diff & Audit
- Multi-table Joins
- Synthesize Fake Data