chore(deny): ignore quick-xml DoS advisories RUSTSEC-2026-0194/0195#4179
chore(deny): ignore quick-xml DoS advisories RUSTSEC-2026-0194/0195#4179aviator5 wants to merge 1 commit into
Conversation
- Both are transitive via kreuzberg -> cf-gears-file-parser -> example-server (example app only) - No usable upstream fix: kreuzberg/calamine/biblib all pin quick-xml <0.41 - Tracked for removal once upstreams allow quick-xml >=0.41 Signed-off-by: Aviator 5 <ai.agent.tor@gmail.com>
📝 WalkthroughWalkthroughTwo RustSec advisory IDs (RUSTSEC-2026-0194 and RUSTSEC-2026-0195) were added to the ignore allowlist in deny.toml, each with an inline comment describing the transitive dependency chain and noting no usable fix is currently available. ChangesAdvisory Ignore List Update
Estimated code review effort: 1 (Trivial) | ~2 minutes Related PRs: None found. Suggested labels: dependencies, security Suggested reviewers: None specified. Poem A rabbit hops through config lines, 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
deny.toml (1)
42-43: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueConsider tracking removal with an expiry/owner note.
The ignore entries are open-ended pending upstream releases of kreuzberg/calamine/biblib. Since this mirrors the existing RUSTSEC-2026-0187 pattern in the same file (Line 41), consistency is fine, but consider adding a tracking issue link or periodic-review reminder (e.g., dependabot/renovate check) so these don't silently persist past the point where upstream fixes become available.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@deny.toml` around lines 42 - 43, Add a tracking/reminder note for the two denylist entries in deny.toml so they do not remain indefinitely after upstream fixes land. Keep the existing RUSTSEC-2026-0194 and RUSTSEC-2026-0195 comments, but extend the inline note in the same style as the nearby RUSTSEC-2026-0187 entry to include an owner, issue link, or periodic review reminder. Use the existing deny.toml ignore list and the RUSTSEC identifiers as the place to update.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@deny.toml`:
- Around line 42-43: Add a tracking/reminder note for the two denylist entries
in deny.toml so they do not remain indefinitely after upstream fixes land. Keep
the existing RUSTSEC-2026-0194 and RUSTSEC-2026-0195 comments, but extend the
inline note in the same style as the nearby RUSTSEC-2026-0187 entry to include
an owner, issue link, or periodic review reminder. Use the existing deny.toml
ignore list and the RUSTSEC identifiers as the place to update.
Summary by CodeRabbit