security: 22 CVE advisories in Cargo.lock (bridge triage, Track E)

[hyperpolymath]

panic-attack estate sweep — Track E bridge triage

panic-attack bridge triage (RustSec advisory DB, with reachability analysis) found 22 CVE/advisory findings in this repo's Cargo.lock (out of 465 total dependencies; 22 vulnerable).

Severity: medium: 22
Reachability: phantom: 22
Classification: informational: 22

Each finding includes a recommended action (often Remove unused dependency for phantom-imported crates). Reachability phantom = declared in Cargo.toml but never imported in any .rs file — removing the dep eliminates the CVE entirely with no behavioural change.

Estate tracker: hyperpolymath/panic-attack#32.

Findings

full advisory list

RUSTSEC-2021-0139  ansi_term@0.12.1  medium  reach=phantom  class=informational  fix=
RUSTSEC-2025-0141  bincode@1.3.3  medium  reach=phantom  class=informational  fix=
GHSA-8c75-8mhr-p7r9  openssl@0.10.76  medium  reach=phantom  class=informational  fix=
GHSA-ghm9-cr32-g9qj  openssl@0.10.76  medium  reach=phantom  class=informational  fix=
GHSA-hppc-g8h3-xhp3  openssl@0.10.76  medium  reach=phantom  class=informational  fix=
GHSA-phqj-4mhp-q6mq  openssl@0.10.76  medium  reach=phantom  class=informational  fix=
GHSA-pqf5-4pqq-29f5  openssl@0.10.76  medium  reach=phantom  class=informational  fix=
GHSA-xmgf-hq76-4vx2  openssl@0.10.76  medium  reach=phantom  class=informational  fix=
GHSA-xp3w-r5p5-63rr  openssl@0.10.76  medium  reach=phantom  class=informational  fix=
GHSA-xv59-967r-8726  openssl@0.10.76  medium  reach=phantom  class=informational  fix=
GHSA-cq8v-f236-94qc  rand@0.9.2  medium  reach=phantom  class=informational  fix=
RUSTSEC-2026-0097  rand@0.9.2  medium  reach=phantom  class=informational  fix=
RUSTSEC-2025-0134  rustls-pemfile@2.2.0  medium  reach=phantom  class=informational  fix=
GHSA-82j2-j2ch-gfr8  rustls-webpki@0.103.10  medium  reach=phantom  class=informational  fix=
GHSA-965h-392x-2mh5  rustls-webpki@0.103.10  medium  reach=phantom  class=informational  fix=
GHSA-xgp8-3hg3-c2mh  rustls-webpki@0.103.10  medium  reach=phantom  class=informational  fix=
RUSTSEC-2026-0098  rustls-webpki@0.103.10  medium  reach=phantom  class=informational  fix=
RUSTSEC-2026-0099  rustls-webpki@0.103.10  medium  reach=phantom  class=informational  fix=
RUSTSEC-2026-0104  rustls-webpki@0.103.10  medium  reach=phantom  class=informational  fix=
GHSA-xphw-cqx3-667j  thin-vec@0.2.14  medium  reach=phantom  class=informational  fix=
RUSTSEC-2026-0103  thin-vec@0.2.14  medium  reach=phantom  class=informational  fix=
RUSTSEC-2024-0320  yaml-rust@0.4.5  medium  reach=phantom  class=informational  fix=

---

🤖 Discovered during the panic-attack estate sweep (2026-05-26) — Track E (bridge triage). See hyperpolymath/panic-attack#32 for campaign tracker.

[hyperpolymath]

Triage (2026-05-27) — Cohort E-2 reassignment

This repo was initially grouped into Cohort E-2 (Dioxus/GTK transitive), but inspection of Cargo.toml confirms it does NOT pull Dioxus or the GTK family. The GUI crate is gossamer-rs (path dep, identical layout to formatrix-docs). This repo has been misclassified into E-2 and should be reassigned.

Actual parent deps (from workspace Cargo.toml):

• vosk = "0.3" (speech recognition FFI) + tesseract-rs = "0.3" (OCR FFI) → pull openssl@0.10.76 family
• nickel-lang-core = "0.10" → pulls ansi_term@0.12.1, yaml-rust@0.4.5
• arangors = "0.6" → pulls rustls/rustls-webpki/rustls-pemfile/rand
• comrak/asciidoc-parser/document_tree → assorted transitives (bincode, thin-vec)

Informational (reach=phantom, declared-but-unused via parent):

• RUSTSEC-2021-0139 in ansi_term@0.12.1 (parent: nickel-lang-core)
• RUSTSEC-2025-0141 in bincode@1.3.3 (parent: transitive utility)
• GHSA-8c75-8mhr-p7r9 in openssl@0.10.76 (parent: vosk/tesseract-rs)
• GHSA-ghm9-cr32-g9qj in openssl@0.10.76
• GHSA-hppc-g8h3-xhp3 in openssl@0.10.76
• GHSA-phqj-4mhp-q6mq in openssl@0.10.76
• GHSA-pqf5-4pqq-29f5 in openssl@0.10.76
• GHSA-xmgf-hq76-4vx2 in openssl@0.10.76
• GHSA-xp3w-r5p5-63rr in openssl@0.10.76
• GHSA-xv59-967r-8726 in openssl@0.10.76
• GHSA-cq8v-f236-94qc in rand@0.9.2 (parent: arangors/rustls)
• RUSTSEC-2026-0097 in rand@0.9.2
• RUSTSEC-2025-0134 in rustls-pemfile@2.2.0 (parent: arangors→rustls)
• GHSA-82j2-j2ch-gfr8 in rustls-webpki@0.103.10 (parent: arangors→rustls)
• GHSA-965h-392x-2mh5 in rustls-webpki@0.103.10
• GHSA-xgp8-3hg3-c2mh in rustls-webpki@0.103.10
• RUSTSEC-2026-0098 in rustls-webpki@0.103.10
• RUSTSEC-2026-0099 in rustls-webpki@0.103.10
• RUSTSEC-2026-0104 in rustls-webpki@0.103.10
• GHSA-xphw-cqx3-667j in thin-vec@0.2.14 (parent: document_tree/transitive)
• RUSTSEC-2026-0103 in thin-vec@0.2.14
• RUSTSEC-2024-0320 in yaml-rust@0.4.5 (parent: nickel-lang-core)

Reachable (requires upstream fix):

None at present. All 22 are reach=phantom per the bridge.

Closure path:

This issue should be reassigned out of E-2 (no Dioxus/GTK) and remain OPEN until either:

1. Parent deps (vosk, tesseract-rs, arangors, nickel-lang-core) ship releases that bump openssl/rustls/rand/yaml transitives;
2. We swap vosk/tesseract-rs for non-openssl alternatives, OR
3. panic-attack's patch-bridge classifies the phantom set as Informational and we close as accepted-risk (Cohort E-2 panic-attack tracking issue patch-bridge: classify Dioxus/GTK transitive advisories as Informational (Cohort E-2) panic-attack#75 lists this repo as misclassified and asks for a separate cohort).

22 informational, 0 reachable.