security: 19 CVE advisories in Cargo.lock (bridge triage, Track E)

[hyperpolymath]

panic-attack estate sweep — Track E bridge triage

panic-attack bridge triage (RustSec advisory DB, with reachability analysis) found 19 CVE/advisory findings in this repo's Cargo.lock (out of 489 total dependencies; 19 vulnerable).

Severity: medium: 19
Reachability: phantom: 19
Classification: informational: 19

Each finding includes a recommended action (often Remove unused dependency for phantom-imported crates). Reachability phantom = declared in Cargo.toml but never imported in any .rs file — removing the dep eliminates the CVE entirely with no behavioural change.

Estate tracker: hyperpolymath/panic-attack#32.

Findings

full advisory list

RUSTSEC-2021-0139  ansi_term@0.12.1  medium  reach=phantom  class=informational  fix=
RUSTSEC-2025-0141  bincode@1.3.3  medium  reach=phantom  class=informational  fix=
RUSTSEC-2024-0384  instant@0.1.13  medium  reach=phantom  class=informational  fix=
GHSA-8c75-8mhr-p7r9  openssl@0.10.77  medium  reach=phantom  class=informational  fix=
GHSA-ghm9-cr32-g9qj  openssl@0.10.77  medium  reach=phantom  class=informational  fix=
GHSA-hppc-g8h3-xhp3  openssl@0.10.77  medium  reach=phantom  class=informational  fix=
GHSA-phqj-4mhp-q6mq  openssl@0.10.77  medium  reach=phantom  class=informational  fix=
GHSA-pqf5-4pqq-29f5  openssl@0.10.77  medium  reach=phantom  class=informational  fix=
GHSA-xmgf-hq76-4vx2  openssl@0.10.77  medium  reach=phantom  class=informational  fix=
GHSA-xp3w-r5p5-63rr  openssl@0.10.77  medium  reach=phantom  class=informational  fix=
GHSA-xv59-967r-8726  openssl@0.10.77  medium  reach=phantom  class=informational  fix=
GHSA-6xvm-j4wr-6v98  quinn-proto@0.11.9  medium  reach=phantom  class=informational  fix=
RUSTSEC-2026-0037  quinn-proto@0.11.9  medium  reach=phantom  class=informational  fix=
GHSA-cq8v-f236-94qc  rand@0.8.5  medium  reach=phantom  class=informational  fix=
RUSTSEC-2026-0097  rand@0.8.5  medium  reach=phantom  class=informational  fix=
RUSTSEC-2025-0134  rustls-pemfile@2.2.0  medium  reach=phantom  class=informational  fix=
GHSA-82j2-j2ch-gfr8  rustls-webpki@0.103.12  medium  reach=phantom  class=informational  fix=
RUSTSEC-2026-0104  rustls-webpki@0.103.12  medium  reach=phantom  class=informational  fix=
RUSTSEC-2024-0320  yaml-rust@0.4.5  medium  reach=phantom  class=informational  fix=

---

🤖 Discovered during the panic-attack estate sweep (2026-05-26) — Track E (bridge triage). See hyperpolymath/panic-attack#32 for campaign tracker.

[hyperpolymath]

Triage (2026-05-27) — Cohort E-2 reassignment

This repo was initially grouped into Cohort E-2 (Dioxus/GTK transitive), but inspection of Cargo.toml confirms it does NOT pull Dioxus or the GTK family. The GUI crate is gossamer-rs (path dep, not a Dioxus desktop wrapper). This repo has been misclassified into E-2 and should be reassigned.

Actual parent deps (from workspace Cargo.toml):

• reqwest = "0.12" (with rustls-tls) → pulls rustls/rustls-webpki/rustls-pemfile/quinn-proto/rand
• vosk = "0.3" (speech recognition FFI) → pulls openssl@0.10.77 family
• arangors = "0.6" (ArangoDB client) → pulls openssl + transitive utilities
• nickel-lang-core = "0.10" → pulls ansi_term@0.12.1, instant@0.1.13, yaml-rust@0.4.5
• comrak/tesseract-rs → assorted transitives (bincode)

Informational (reach=phantom, declared-but-unused via parent):

• RUSTSEC-2021-0139 in ansi_term@0.12.1 (parent: nickel-lang-core)
• RUSTSEC-2025-0141 in bincode@1.3.3 (parent: transitive utility)
• RUSTSEC-2024-0384 in instant@0.1.13 (parent: nickel-lang-core)
• GHSA-8c75-8mhr-p7r9 in openssl@0.10.77 (parent: vosk/arangors)
• GHSA-ghm9-cr32-g9qj in openssl@0.10.77
• GHSA-hppc-g8h3-xhp3 in openssl@0.10.77
• GHSA-phqj-4mhp-q6mq in openssl@0.10.77
• GHSA-pqf5-4pqq-29f5 in openssl@0.10.77
• GHSA-xmgf-hq76-4vx2 in openssl@0.10.77
• GHSA-xp3w-r5p5-63rr in openssl@0.10.77
• GHSA-xv59-967r-8726 in openssl@0.10.77
• GHSA-6xvm-j4wr-6v98 in quinn-proto@0.11.9 (parent: reqwest/http3)
• RUSTSEC-2026-0037 in quinn-proto@0.11.9
• GHSA-cq8v-f236-94qc in rand@0.8.5 (parent: rustls/transitive)
• RUSTSEC-2026-0097 in rand@0.8.5
• RUSTSEC-2025-0134 in rustls-pemfile@2.2.0 (parent: reqwest→rustls)
• GHSA-82j2-j2ch-gfr8 in rustls-webpki@0.103.12 (parent: reqwest→rustls)
• RUSTSEC-2026-0104 in rustls-webpki@0.103.12
• RUSTSEC-2024-0320 in yaml-rust@0.4.5 (parent: nickel-lang-core)

Reachable (requires upstream fix):

None at present. All 19 are reach=phantom per the bridge.

Closure path:

This issue should be reassigned out of E-2 (no Dioxus/GTK) and remain OPEN until either:

1. The parent deps (reqwest, vosk, arangors, nickel-lang-core) ship releases that bump their TLS / yaml / instant transitives;
2. We swap vosk/arangors for non-openssl alternatives, OR
3. panic-attack's patch-bridge classifies the phantom set as Informational and we close as accepted-risk (the Cohort E-2 panic-attack tracking issue patch-bridge: classify Dioxus/GTK transitive advisories as Informational (Cohort E-2) panic-attack#75 lists this repo as misclassified and asks for a separate cohort).

19 informational, 0 reachable.