fix(ci): resolve cargo-audit failures blocking all PR merges#765
Open
wangzishuai1987 wants to merge 1 commit into
Open
fix(ci): resolve cargo-audit failures blocking all PR merges#765wangzishuai1987 wants to merge 1 commit into
wangzishuai1987 wants to merge 1 commit into
Conversation
Contributor
Genesis ReviewComparison targets:
How to reviewPost a comment with the following format (rank from best to worst): Use the short commit hashes above and To meta-review another reviewer's comment, react with 👍 or 👎. |
Fixes jarchain#722 — CI security audit has been failing since 2026-04-10, blocking all PR merges. Changes: - Upgrade rustls-webpki 0.103.12 → 0.103.13 (fixes RUSTSEC-2026-0104: reachable panic in CRL parsing) - Upgrade polkavm 0.32.0 → 0.33.1 / polkavm-common → 0.33.0 (0.32.0 was yanked from crates.io) - Add --ignore for transitive dependency warnings with no upgrade path: - RUSTSEC-2026-0097: rand unsound with custom logger (via libp2p, jsonrpsee, ark) - RUSTSEC-2026-0105: core2 unmaintained (via libp2p -> multihash) - RUSTSEC-2024-0436: paste unmaintained (via ark-ff, netlink)
fe3cf46 to
26a0dee
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #722 — CI security audit has been failing since 2026-04-10, blocking all PR merges on the repository.
Root Cause
New RUSTSEC advisories caused
cargo auditto fail in CI:rustls-webpki0.103.12 — reachable panic in CRL parsingrand0.8/0.9 — unsound with custom logger (informational warning)core2— unmaintained (informational warning)polkavm0.32.0 was yanked from crates.ioChanges
Vulnerability fix (upgrade)
rustls-webpki0.103.12 → 0.103.13 (fixes RUSTSEC-2026-0104)polkavm0.32.0 → 0.33.1,polkavm-common→ 0.33.0 (yanked version removed)Transitive dependency ignores (no upgrade path available)
Added
--ignorewith detailed comments for warnings that are indirect dependencies with no action we can take:randunsound — via libp2p, jsonrpsee, ark (no fix in 0.8.x/0.9.x)core2unmaintained — via libp2p → multihash (awaiting libp2p migration)pasteunmaintained — via ark-ff and netlink (awaiting upstream)Verification
Impact
This PR unblocks all pending PRs that are currently stuck due to the failing CI audit check.