Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions deny.toml
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,8 @@ ignore = [
"RUSTSEC-2023-0071", # Marvin Attack timing sidechannel in rsa 0.9 — dev-only dep of rustls-corecrypto-provider; used solely for RSA-PSS *verification* (public-key op, no private key involved) in rsa_pss_apple_salt_length_matches_rfc8017 test; no safe upgrade available; advisory itself permits "local use on a non-compromised computer"
"RUSTSEC-2026-0173", # proc-macro-error2 unmaintained — direct dep of our proc-macro crate cf-gears-toolkit-db-macros (compile-time only, never in any runtime artifact); no advisory of a vulnerability, only maintenance status. Tracked for migration to std syn::Error -> compile_error! emission.
"RUSTSEC-2026-0187", # lopdf <0.42 unbounded-recursion DoS on crafted PDFs — transitive via kreuzberg→cf-gears-file-parser→cf-gears-example-server (example app only, never parses untrusted PDFs). No usable fix: kreuzberg 4.9.x pins lopdf "^0.41" (<0.42) and the fix landed in 0.42.0; 5.x drops the bundled-pdfium feature we use. Remove once kreuzberg ships a release allowing lopdf >=0.42.
"RUSTSEC-2026-0194", # quick-xml <0.41 quadratic duplicate-attribute check DoS — transitive via kreuzberg→cf-gears-file-parser→cf-gears-example-server (example app only). Three vulnerable copies are pulled in: kreuzberg 4.9.8 pins quick-xml "^0.40.1", calamine 0.35 pins "^0.39", and biblib 0.4.2 pins "^0.37". No usable fix: latest kreuzberg 5.0.0-rc.35 still carries the same quick-xml/calamine constraints and drops the bundled-pdfium feature we use. Remove once kreuzberg, calamine and biblib all ship versions allowing quick-xml >=0.41.
"RUSTSEC-2026-0195", # quick-xml <0.41 unbounded NsReader namespace allocation DoS — same transitive paths and no-upstream-fix status as RUSTSEC-2026-0194. Remove once kreuzberg, calamine and biblib all ship versions allowing quick-xml >=0.41.
]

# Note:
Expand Down
Loading