Skip to content

Security and Dependencies

Joel Natividad edited this page Jul 6, 2026 · 2 revisions

Security & Dependency Audits

Tier: Advanced

qsv has a large dependency tree (~1,000 crates with all_features). To keep it healthy, qsv runs an automated security audit every day and deals with findings in one of two ways: patch the dependency at the source (via a fork) when qsv can fix it, or record a vetted ignore when the finding is a transitive dependency qsv cannot upgrade directly.

To report a vulnerability, see the repo's SECURITY.md.

The daily audit

The security-audit.yml GitHub Action runs cargo audit (via rustsec/audit-check) on a schedule, checking Cargo.lock against the RustSec Advisory Database. New advisories are filed as issues automatically.

cargo audit reads its configuration from .cargo/audit.toml, which holds the vetted ignore list described below. The same file applies when you run cargo audit locally.

Two ways qsv handles a finding

1. Patch the fork

When the affected crate is one qsv can fix — or it's only a few lines away from dropping the bad dependency — qsv maintains a patched fork and wires it in via [patch.crates-io] in Cargo.toml. This removes the advisory at the source rather than suppressing it.

Forks qsv currently patches in:

Crate(s) Fork / source Why
csv, csv-core, csv-index dathere/rust-csv (qsv-tuned) Performance tuning — see Tuned csv Fork Benchmarks
sled dathere/sled (v0.34.7-drop-fxhash) Drops unmaintained instant (RUSTSEC-2024-0384) and unmaintained fxhash (RUSTSEC-2025-0057, replaced with rustc-hash)
object_store kdn36/arrow-rs-object-store (feat_with_dns_resolver) Adds the with_dns_resolver method polars-io requires
csvlens YS-L/csvlens (pinned rev 6acf060) Track upstream rev ahead of a crates.io release
csvs_convert jqnatividad/csvs_convert Bump dependencies until upstream PR merges
whatlang jqnatividad/whatlang-rs Bump hashbrown until upstream PR merges
calamine tafia/calamine (pinned rev 058cb50) Track upstream rev ahead of a crates.io release
plotly dathere/plotly (pinned rev 8d56b22) viz charting fixes ahead of an upstream release
spreadsheet-ods jqnatividad/spreadsheet-ods (deps-bump-202607) Bump dependencies until upstream PR merges
polars pola-rs/polars (pinned tag/rev) Track latest upstream fixes ahead of crates.io releases

Note: [patch.crates-io] forks are stripped on cargo publish, so they only apply to git-checkout builds (CI, local dev, the release workflows). cargo install qsv from crates.io is not currently supported.

2. Vetted ignore

Some advisories are "unmaintained" notices (not vulnerabilities) for crates that arrive deep in the tree through dependencies qsv does not control. When qsv cannot upgrade or fork its way out, the advisory is recorded in .cargo/audit.toml with a comment documenting the dependency chain and the upstream that must update before the entry can be removed. The list is re-evaluated periodically and pruned as upstreams migrate.

Current ignores:

Advisory Crate Reaches qsv via Notes
RUSTSEC-2026-0173 proc-macro-error2 jaqjiffdefmt (optional) → defmt-macros jiff's defmt feature is never enabled, so it's in Cargo.lock but never compiled or linked (#4072)
RUSTSEC-2025-0141 bincode polarspolars-utils Clears when polars updates
RUSTSEC-2024-0436 paste tikv-jemalloc-ctl Clears when tikv-jemalloc-ctl updates
RUSTSEC-2025-0134 rustls-pemfile plotlyplotly_staticwebdriver-downloaderreqwest 0.11 Clears when plotly's deps move to reqwest 0.12

Running the audit yourself

cargo install cargo-audit
cargo audit          # honors .cargo/audit.toml

To see what a given ignored advisory actually pulls in:

cargo tree -i <crate> --target all --all-features

Clone this wiki locally