chore: update deny.toml with new rustls-webpki and proc-macro-error2 advisories#94
Merged
Conversation
Fixes the cargo-deny advisories check in CI: - proc-macro-error2 (RUSTSEC-2026-0173): unmaintained with no safe upgrade; build-time proc-macro only (teloxide, avian3d, rust-embed), no shipped/runtime code. - rustls-webpki 0.102.8 (RUSTSEC-2026-0098 / -0099 / -0104): name-constraint and CRL-parsing issues. Pinned via serenity 0.12 -> tokio-tungstenite 0.21 -> rustls 0.22; 0.12.5 is the latest serenity, and the fixed rustls-webpki 0.103.x is already used everywhere else. Same situation as the existing RUSTSEC-2026-0049 ignore. - Drop the stale RUSTSEC-2025-0119 ignore: number_prefix is no longer in the tree, which is the advisory-not-detected warning cargo-deny emitted. https://claude.ai/code/session_01EDzpnLCpnGBrW3uVesbGKB
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Updates
deny.tomlto acknowledge and document four new security advisories that are either already mitigated by existing constraints or pose no practical risk to the project.Changes
RUSTSEC-2025-0119(number_prefix) advisory entryrustls-webpki 0.102.8advisories:RUSTSEC-2026-0098: URI name-constraint check vulnerability — mitigated by pinning through serenity 0.12 → tokio-tungstenite 0.21 → rustls 0.22; requires CA compromise post-signature verificationRUSTSEC-2026-0099: Wildcard name-constraint check vulnerability — same mitigation as aboveRUSTSEC-2026-0104: Panic parsing certificate revocation lists — unreachable in practice since serenity/Discord does not use CRLsRUSTSEC-2026-0173(proc-macro-error2) advisory:Notes
All advisories are documented with their root causes and risk assessments. The rustls-webpki issues are constrained by the serenity 0.12 dependency chain and pose limited practical risk given the additional requirements (CA compromise or CRL parsing). The proc-macro-error2 advisory is acceptable since it only affects build-time code generation.
https://claude.ai/code/session_01EDzpnLCpnGBrW3uVesbGKB