security: 16 CVE advisories in Cargo.lock (bridge triage, Track E)

[hyperpolymath]

panic-attack estate sweep — Track E bridge triage

panic-attack bridge triage (RustSec advisory DB, with reachability analysis) found 16 CVE/advisory findings in this repo's Cargo.lock (out of 315 total dependencies; 16 vulnerable).

Severity: medium: 16
Reachability: phantom: 16
Classification: informational: 16

Each finding includes a recommended action (often Remove unused dependency for phantom-imported crates). Reachability phantom = declared in Cargo.toml but never imported in any .rs file — removing the dep eliminates the CVE entirely with no behavioural change.

Estate tracker: hyperpolymath/panic-attack#32.

Findings

full advisory list

GHSA-f26g-jm89-4g65  gix@0.79.0  medium  reach=phantom  class=informational  fix=
GHSA-fr8x-3vfx-f45h  gix@0.79.0  medium  reach=phantom  class=informational  fix=
GHSA-p3hw-mv63-rf9w  gix@0.79.0  medium  reach=phantom  class=informational  fix=
GHSA-pg4w-g64p-qwhj  gix@0.79.0  medium  reach=phantom  class=informational  fix=
GHSA-f89h-2fjh-2r9q  gix-fs@0.19.1  medium  reach=phantom  class=informational  fix=
GHSA-x494-mj8g-cj27  gix-pack@0.66.0  medium  reach=phantom  class=informational  fix=
GHSA-9857-6mw7-fq2m  gix-transport@0.54.0  medium  reach=phantom  class=informational  fix=
GHSA-p3hw-mv63-rf9w  gix-validate@0.11.0  medium  reach=phantom  class=informational  fix=
GHSA-cq8v-f236-94qc  rand@0.9.2  medium  reach=phantom  class=informational  fix=
RUSTSEC-2026-0097  rand@0.9.2  medium  reach=phantom  class=informational  fix=
GHSA-82j2-j2ch-gfr8  rustls-webpki@0.103.10  medium  reach=phantom  class=informational  fix=
GHSA-965h-392x-2mh5  rustls-webpki@0.103.10  medium  reach=phantom  class=informational  fix=
GHSA-xgp8-3hg3-c2mh  rustls-webpki@0.103.10  medium  reach=phantom  class=informational  fix=
RUSTSEC-2026-0098  rustls-webpki@0.103.10  medium  reach=phantom  class=informational  fix=
RUSTSEC-2026-0099  rustls-webpki@0.103.10  medium  reach=phantom  class=informational  fix=
RUSTSEC-2026-0104  rustls-webpki@0.103.10  medium  reach=phantom  class=informational  fix=

---

🤖 Discovered during the panic-attack estate sweep (2026-05-26) — Track E (bridge triage). See hyperpolymath/panic-attack#32 for campaign tracker.

[hyperpolymath]

Triage (2026-05-27) — Cohort E-2 reassignment

This repo was initially grouped into Cohort E-2 (Dioxus/GTK transitive), but inspection of Cargo.toml (workspace + gui/Cargo.toml) confirms it does NOT pull Dioxus or the GTK family. The GUI crate is gossamer-rs (path dep — explicit comment in Cargo.toml: "Gossamer desktop GUI (converted from Tauri)"). This repo has been misclassified into E-2 and should be reassigned. The advisories cluster cleanly around gix + reqwest.

Actual parent deps (from workspace Cargo.toml):

• gix = "0.79" (with blocking-network-client) → pulls gix-fs, gix-pack, gix-transport, gix-validate family advisories
• reqwest = "0.12" (with rustls-tls) → pulls rustls-webpki/rand

Informational (reach=phantom, declared-but-unused via parent):

• GHSA-f26g-jm89-4g65 in gix@0.79.0 (parent: direct dep)
• GHSA-fr8x-3vfx-f45h in gix@0.79.0
• GHSA-p3hw-mv63-rf9w in gix@0.79.0
• GHSA-pg4w-g64p-qwhj in gix@0.79.0
• GHSA-f89h-2fjh-2r9q in gix-fs@0.19.1 (parent: gix)
• GHSA-x494-mj8g-cj27 in gix-pack@0.66.0 (parent: gix)
• GHSA-9857-6mw7-fq2m in gix-transport@0.54.0 (parent: gix)
• GHSA-p3hw-mv63-rf9w in gix-validate@0.11.0 (parent: gix)
• GHSA-cq8v-f236-94qc in rand@0.9.2 (parent: reqwest/rustls)
• RUSTSEC-2026-0097 in rand@0.9.2
• GHSA-82j2-j2ch-gfr8 in rustls-webpki@0.103.10 (parent: reqwest→rustls)
• GHSA-965h-392x-2mh5 in rustls-webpki@0.103.10
• GHSA-xgp8-3hg3-c2mh in rustls-webpki@0.103.10
• RUSTSEC-2026-0098 in rustls-webpki@0.103.10
• RUSTSEC-2026-0099 in rustls-webpki@0.103.10
• RUSTSEC-2026-0104 in rustls-webpki@0.103.10

Reachable (requires upstream fix):

None at present. All 16 are reach=phantom per the bridge.

Closure path:

This issue should be reassigned out of E-2 (no Dioxus/GTK) and probably belongs in a "Cohort gix" or "Cohort rustls-webpki transitive" bucket. Remain OPEN until either:

1. gix@0.80+ ships with the family advisories closed AND reqwest/rustls ship with bumped webpki/rand;
2. We swap gix for git2 (alternative git binding), OR
3. panic-attack's patch-bridge classifies the phantom set as Informational and we close as accepted-risk (Cohort E-2 panic-attack tracking issue patch-bridge: classify Dioxus/GTK transitive advisories as Informational (Cohort E-2) panic-attack#75 lists this repo as misclassified and asks for a separate cohort).

16 informational, 0 reachable.