Bug
panic-attack bridge triage emits the recommended action:
Remove unused dependency <pkg> from Cargo.toml
for any phantom-classified CVE — but in practice ALL the phantom-classified findings I sampled across the 2026-05-26 estate sweep (28/28 in a 6-repo sample, 157 phantoms total) are transitive deps pulled in by upstream crates, never declared in any Cargo.toml.
Evidence
| Repo |
Phantom pkg |
In Cargo.toml? |
Actual parent |
| multiterm |
lru@0.12.5 |
No |
ratatui 0.29 |
| multiterm |
paste@1.0.15 |
No |
(transitive) |
| docmatrix |
ansi_term, bincode, openssl, rand, rustls-pemfile, rustls-webpki, thin-vec, yaml-rust |
No (all 8) |
(transitive) |
| formatrix-docs |
9 packages |
No (all 9) |
(transitive) |
| git-reticulator |
5 packages |
No (all 5) |
(transitive) |
| 007 |
rustls-webpki |
No |
(transitive) |
| bunsenite |
3 packages |
No (all 3) |
(transitive) |
In every case grep -E '^\s*<pkg>\s*=' Cargo.toml returns nothing — the dep is purely transitive. cargo update doesn't drop these either (they're at the latest crates.io version matching the upstream's constraint).
Fix sketch
bridge triage should:
-
Detect direct vs transitive by checking whether the package appears as a key in the project's [dependencies] / [dev-dependencies] / [build-dependencies] sections (or workspace equivalents).
-
For direct phantom deps: keep the current Remove unused dependency action.
-
For transitive phantom deps: emit a different action, something like:
Transitive via <parent>; consider cargo update -p <parent> or bumping its constraint in Cargo.toml. If no upstream fix exists, the finding is informational only (code unreachable from this project).
-
For unmitigable + reachable: actionable warning (this is the real-risk category — 8 in the 2026-05-26 sweep, all advisory-issued without fixed versions).
Cross-references
The underlying "informational + phantom" classification is correct (these CVEs really are unreachable). It's only the action-string that's wrong.
Bug
panic-attack bridge triageemits the recommended action:for any phantom-classified CVE — but in practice ALL the phantom-classified findings I sampled across the 2026-05-26 estate sweep (28/28 in a 6-repo sample, 157 phantoms total) are transitive deps pulled in by upstream crates, never declared in any
Cargo.toml.Evidence
In every case
grep -E '^\s*<pkg>\s*=' Cargo.tomlreturns nothing — the dep is purely transitive.cargo updatedoesn't drop these either (they're at the latest crates.io version matching the upstream's constraint).Fix sketch
bridge triageshould:Detect direct vs transitive by checking whether the package appears as a key in the project's
[dependencies]/[dev-dependencies]/[build-dependencies]sections (or workspace equivalents).For direct phantom deps: keep the current
Remove unused dependencyaction.For transitive phantom deps: emit a different action, something like:
For unmitigable + reachable: actionable warning (this is the real-risk category — 8 in the 2026-05-26 sweep, all advisory-issued without fixed versions).
Cross-references
The underlying "informational + phantom" classification is correct (these CVEs really are unreachable). It's only the action-string that's wrong.