Skip to content

chore(deny): ignore quick-xml DoS advisories RUSTSEC-2026-0194/0195#4179

Open
aviator5 wants to merge 1 commit into
constructorfabric:mainfrom
aviator5:make-deny-temp-fix
Open

chore(deny): ignore quick-xml DoS advisories RUSTSEC-2026-0194/0195#4179
aviator5 wants to merge 1 commit into
constructorfabric:mainfrom
aviator5:make-deny-temp-fix

Conversation

@aviator5

@aviator5 aviator5 commented Jul 3, 2026

Copy link
Copy Markdown
Contributor
  • Both are transitive via kreuzberg -> cf-gears-file-parser -> example-server (example app only)
  • No usable upstream fix: kreuzberg/calamine/biblib all pin quick-xml <0.41
  • Tracked for removal once upstreams allow quick-xml >=0.41

Summary by CodeRabbit

  • Chores
    • Updated the security advisory ignore list to include two additional RustSec advisories.
    • This keeps dependency checks aligned with currently pinned versions and prevents known transitive advisories from blocking builds.

- Both are transitive via kreuzberg -> cf-gears-file-parser -> example-server (example app only)
- No usable upstream fix: kreuzberg/calamine/biblib all pin quick-xml <0.41
- Tracked for removal once upstreams allow quick-xml >=0.41

Signed-off-by: Aviator 5 <ai.agent.tor@gmail.com>
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Two RustSec advisory IDs (RUSTSEC-2026-0194 and RUSTSEC-2026-0195) were added to the ignore allowlist in deny.toml, each with an inline comment describing the transitive dependency chain and noting no usable fix is currently available.

Changes

Advisory Ignore List Update

Layer / File(s) Summary
Add new ignored advisories
deny.toml
Added RUSTSEC-2026-0194 and RUSTSEC-2026-0195 to the advisories ignore list with comments on the affected dependency chain and unresolved fix status.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Related PRs: None found.

Suggested labels: dependencies, security

Suggested reviewers: None specified.

Poem

A rabbit hops through config lines,
Two advisories now benign,
Ignored with care, a comment penned,
Through kreuzberg's chain, right to the end,
Hop, hop — the audit's clean again! 🐇

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the denylist exception for the two quick-xml advisories added in deny.toml.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
deny.toml (1)

42-43: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Consider tracking removal with an expiry/owner note.

The ignore entries are open-ended pending upstream releases of kreuzberg/calamine/biblib. Since this mirrors the existing RUSTSEC-2026-0187 pattern in the same file (Line 41), consistency is fine, but consider adding a tracking issue link or periodic-review reminder (e.g., dependabot/renovate check) so these don't silently persist past the point where upstream fixes become available.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deny.toml` around lines 42 - 43, Add a tracking/reminder note for the two
denylist entries in deny.toml so they do not remain indefinitely after upstream
fixes land. Keep the existing RUSTSEC-2026-0194 and RUSTSEC-2026-0195 comments,
but extend the inline note in the same style as the nearby RUSTSEC-2026-0187
entry to include an owner, issue link, or periodic review reminder. Use the
existing deny.toml ignore list and the RUSTSEC identifiers as the place to
update.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@deny.toml`:
- Around line 42-43: Add a tracking/reminder note for the two denylist entries
in deny.toml so they do not remain indefinitely after upstream fixes land. Keep
the existing RUSTSEC-2026-0194 and RUSTSEC-2026-0195 comments, but extend the
inline note in the same style as the nearby RUSTSEC-2026-0187 entry to include
an owner, issue link, or periodic review reminder. Use the existing deny.toml
ignore list and the RUSTSEC identifiers as the place to update.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 473765a5-e2ae-4ce3-b513-7e7c68b9a567

📥 Commits

Reviewing files that changed from the base of the PR and between 322a01f and cc9d6c7.

📒 Files selected for processing (1)
  • deny.toml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant