diff --git a/deny.toml b/deny.toml index 38f26ef80..1533f7725 100644 --- a/deny.toml +++ b/deny.toml @@ -39,6 +39,8 @@ ignore = [ "RUSTSEC-2023-0071", # Marvin Attack timing sidechannel in rsa 0.9 — dev-only dep of rustls-corecrypto-provider; used solely for RSA-PSS *verification* (public-key op, no private key involved) in rsa_pss_apple_salt_length_matches_rfc8017 test; no safe upgrade available; advisory itself permits "local use on a non-compromised computer" "RUSTSEC-2026-0173", # proc-macro-error2 unmaintained — direct dep of our proc-macro crate cf-gears-toolkit-db-macros (compile-time only, never in any runtime artifact); no advisory of a vulnerability, only maintenance status. Tracked for migration to std syn::Error -> compile_error! emission. "RUSTSEC-2026-0187", # lopdf <0.42 unbounded-recursion DoS on crafted PDFs — transitive via kreuzberg→cf-gears-file-parser→cf-gears-example-server (example app only, never parses untrusted PDFs). No usable fix: kreuzberg 4.9.x pins lopdf "^0.41" (<0.42) and the fix landed in 0.42.0; 5.x drops the bundled-pdfium feature we use. Remove once kreuzberg ships a release allowing lopdf >=0.42. + "RUSTSEC-2026-0194", # quick-xml <0.41 quadratic duplicate-attribute check DoS — transitive via kreuzberg→cf-gears-file-parser→cf-gears-example-server (example app only). Three vulnerable copies are pulled in: kreuzberg 4.9.8 pins quick-xml "^0.40.1", calamine 0.35 pins "^0.39", and biblib 0.4.2 pins "^0.37". No usable fix: latest kreuzberg 5.0.0-rc.35 still carries the same quick-xml/calamine constraints and drops the bundled-pdfium feature we use. Remove once kreuzberg, calamine and biblib all ship versions allowing quick-xml >=0.41. + "RUSTSEC-2026-0195", # quick-xml <0.41 unbounded NsReader namespace allocation DoS — same transitive paths and no-upstream-fix status as RUSTSEC-2026-0194. Remove once kreuzberg, calamine and biblib all ship versions allowing quick-xml >=0.41. ] # Note: