Skip to content

fix(ci): resolve cargo-audit failures blocking all PR merges#765

Open
wangzishuai1987 wants to merge 1 commit into
jarchain:masterfrom
wangzishuai1987:fix/ci-cargo-audit
Open

fix(ci): resolve cargo-audit failures blocking all PR merges#765
wangzishuai1987 wants to merge 1 commit into
jarchain:masterfrom
wangzishuai1987:fix/ci-cargo-audit

Conversation

@wangzishuai1987

Copy link
Copy Markdown

Summary

Fixes #722 — CI security audit has been failing since 2026-04-10, blocking all PR merges on the repository.

Root Cause

New RUSTSEC advisories caused cargo audit to fail in CI:

  • RUSTSEC-2026-0104: rustls-webpki 0.103.12 — reachable panic in CRL parsing
  • RUSTSEC-2026-0097: rand 0.8/0.9 — unsound with custom logger (informational warning)
  • RUSTSEC-2026-0105: core2 — unmaintained (informational warning)
  • Plus polkavm 0.32.0 was yanked from crates.io

Changes

Vulnerability fix (upgrade)

  • rustls-webpki 0.103.12 → 0.103.13 (fixes RUSTSEC-2026-0104)
  • polkavm 0.32.0 → 0.33.1, polkavm-common0.33.0 (yanked version removed)

Transitive dependency ignores (no upgrade path available)

Added --ignore with detailed comments for warnings that are indirect dependencies with no action we can take:

  • RUSTSEC-2026-0097: rand unsound — via libp2p, jsonrpsee, ark (no fix in 0.8.x/0.9.x)
  • RUSTSEC-2026-0105: core2 unmaintained — via libp2p → multihash (awaiting libp2p migration)
  • RUSTSEC-2024-0436: paste unmaintained — via ark-ff and netlink (awaiting upstream)

Verification

$ cargo audit \
  --ignore RUSTSEC-2025-0009 \
  --ignore RUSTSEC-2025-0010 \
  --ignore RUSTSEC-2026-0097 \
  --ignore RUSTSEC-2026-0105 \
  --ignore RUSTSEC-2024-0436

# Exit code: 0 (success)
# Only 1 yanked warning remaining (core2, non-actionable)

Impact

This PR unblocks all pending PRs that are currently stuck due to the failing CI audit check.

@github-actions

Copy link
Copy Markdown
Contributor

Genesis Review

Comparison targets:

How to review

Post a comment with the following format (rank from best to worst):

/review
difficulty: <commit1>, <commit2>, ..., <commitN>, currentPR
novelty: <commit1>, <commit2>, ..., <commitN>, currentPR
design: <commit1>, <commit2>, ..., <commitN>, currentPR
verdict: merge

Use the short commit hashes above and currentPR for this PR.
Each line ranks all comparison targets + this PR from best to worst.

To meta-review another reviewer's comment, react with 👍 or 👎.

Fixes jarchain#722 — CI security audit has been failing since 2026-04-10,
blocking all PR merges.

Changes:
- Upgrade rustls-webpki 0.103.12 → 0.103.13 (fixes RUSTSEC-2026-0104:
  reachable panic in CRL parsing)
- Upgrade polkavm 0.32.0 → 0.33.1 / polkavm-common → 0.33.0
  (0.32.0 was yanked from crates.io)
- Add --ignore for transitive dependency warnings with no upgrade path:
  - RUSTSEC-2026-0097: rand unsound with custom logger (via libp2p,
    jsonrpsee, ark)
  - RUSTSEC-2026-0105: core2 unmaintained (via libp2p -> multihash)
  - RUSTSEC-2024-0436: paste unmaintained (via ark-ff, netlink)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ci: cargo-audit failing on new 2026 RUSTSEC advisories (blocks merges)

1 participant