From 66f9ad0296a8b4c006235df75038e7bf9114b30c Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 14 Jun 2026 03:57:49 +0000 Subject: [PATCH] chore(deny): resolve cargo-deny advisory failures Fixes the cargo-deny advisories check in CI: - proc-macro-error2 (RUSTSEC-2026-0173): unmaintained with no safe upgrade; build-time proc-macro only (teloxide, avian3d, rust-embed), no shipped/runtime code. - rustls-webpki 0.102.8 (RUSTSEC-2026-0098 / -0099 / -0104): name-constraint and CRL-parsing issues. Pinned via serenity 0.12 -> tokio-tungstenite 0.21 -> rustls 0.22; 0.12.5 is the latest serenity, and the fixed rustls-webpki 0.103.x is already used everywhere else. Same situation as the existing RUSTSEC-2026-0049 ignore. - Drop the stale RUSTSEC-2025-0119 ignore: number_prefix is no longer in the tree, which is the advisory-not-detected warning cargo-deny emitted. https://claude.ai/code/session_01EDzpnLCpnGBrW3uVesbGKB --- deny.toml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/deny.toml b/deny.toml index b669d5f..76c6f7d 100644 --- a/deny.toml +++ b/deny.toml @@ -74,7 +74,10 @@ ignore = [ { id = "RUSTSEC-2024-0436", reason = "paste: unmaintained, transitive dep of tokenizers/rav1e; no upgrade available" }, { id = "RUSTSEC-2025-0134", reason = "rustls-pemfile: unmaintained but pulled in by readability->reqwest; only reads PEM files for TLS, no code execution risk" }, { id = "RUSTSEC-2026-0049", reason = "rustls-webpki 0.102.8: fix only in 0.103.10+; pinned by serenity 0.12 -> tokio-tungstenite 0.21 -> rustls 0.22; limited impact (requires CA compromise)" }, - { id = "RUSTSEC-2025-0119", reason = "number_prefix: unmaintained; transitive dep of indicatif -> hf-hub -> fastembed; no safe upgrade available" }, + { id = "RUSTSEC-2026-0098", reason = "rustls-webpki 0.102.8: URI name-constraint check; fix in 0.103.12+ but pinned by serenity 0.12 -> tokio-tungstenite 0.21 -> rustls 0.22 (no newer serenity); reachable only after signature verification and requires CA misissuance" }, + { id = "RUSTSEC-2026-0099", reason = "rustls-webpki 0.102.8: wildcard name-constraint check; fix in 0.103.12+ but pinned by serenity 0.12 -> tokio-tungstenite 0.21 -> rustls 0.22 (no newer serenity); reachable only after signature verification and requires CA misissuance" }, + { id = "RUSTSEC-2026-0104", reason = "rustls-webpki 0.102.8: panic parsing certificate revocation lists; fix in 0.103.13+ but pinned by serenity 0.12 -> tokio-tungstenite 0.21 -> rustls 0.22 (no newer serenity); serenity/Discord does not use CRLs so unreachable" }, + { id = "RUSTSEC-2026-0173", reason = "proc-macro-error2: unmaintained with no safe upgrade; build-time proc-macro only (teloxide, avian3d, rust-embed); no runtime/shipped-code impact" }, ] # If this is true, then cargo deny will use the git executable to fetch advisory database. # If this is false, then it uses a built-in git library.