Skip to content

[Alert] Security Audit Failure β€” zircote/atlatl (2026-03-08)Β #153

New issue
New issue
Closed as not planned
Closed as not planned
[Alert] Security Audit Failure β€” zircote/atlatl (2026-03-08)#153
Labels
gpm/alertGPM automated alertgpm/securitypriority/highHigh prioritysecuritytype/bugSomething isn't working
@github-actions

Description

@github-actions
github-actions
bot
opened on Mar 8, 2026

πŸ”΄ Critical: Security Audit Workflow Failure

Repository: zircote/atlatl
Workflow: Security Audit (security-audit.yml) β€” Run #46
Failed At: 2026-03-08T00:47:05Z
Trigger: Scheduled run
Last Commit: feat: enhance MCP tools β€” detail levels, filters, new tools & UX (2026-03-08T00:17:46Z)

What Happened

The Security Audit workflow failed with exit code 1 on the main branch. Based on the job logs, cargo audit detected one or more vulnerable Rust dependencies. The audit output shows a large dependency tree including cryptographic crates (aes-gcm, getrandom, chrono, elliptic-curve, jsonwebtoken, argon2, ed25519-dalek, rsa) β€” one or more of these have known advisories.

Affected Dependency Candidates

The following crates appeared in the audit dependency tree and may have active CVEs:

Crate Version Notes
aes-gcm 0.10.3 Encryption β€” check RustSec for advisories
getrandom 0.2.17 / 0.3.4 RNG β€” check RustSec
chrono 0.4.44 Date/time β€” check RustSec
jsonwebtoken 10.3.0 JWT handling β€” check RustSec
rsa 0.9.10 Crypto β€” check RustSec

Suggested Actions

  1. Run locally: cargo audit in zircote/atlatl to see the exact CVE IDs and affected packages
  2. Update dependencies: cargo update to pull in patched versions where available
  3. Review advisories: Check (rustsec.org/redacted) for each flagged crate
  4. If no update available: Add [advisories] ignore = [...] to audit.toml with justification, or pin to a safe version

Context

  • No existing open security issues found for atlatl β€” this is a new alert
  • This is a scheduled audit (not triggered by a PR), so it may reflect newly published advisories against existing dependencies
  • The feature commit just before this run (feat: enhance MCP tools) added 50+ new unit tests but may also have introduced new dependency versions

Other Repos (No Alerts)

Repo Status Last Run
zircote/.github βœ… success Update Profile README (2026-03-08T00:10)
zircote/rlm-rs βœ… success Daily QA (2026-03-07T11:19)
zircote/github-project-manager βœ… success Agentic Maintenance (2026-03-07T01:01)
zircote/sdlc-quality βœ… success Dependabot update (2026-03-02)
All other monitored repos No failures detected β€”

No issue spikes (0 new issues in last 6h across all repos), no stale critical/high items, no review backlog detected.

Generated by smart-alerts workflow β€” https://github.com/zircote/.github/actions/runs/22810733303 β€” 2026-03-08T00:51:55Z

Generated by Smart Alerts

Metadata

Metadata

Assignees

No one assigned

    Labels

    gpm/alertGPM automated alertgpm/securitypriority/highHigh prioritysecuritytype/bugSomething isn't working

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions