cargo-deny maintenance #1863
Merged
cargo-deny maintenance #1863
+5
−6
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In 0e9299c (GitoxideLabs#1854), RUSTSEC-2025-0007 was listed as ignored to let `cargo deny advisories` pass. That advisory has been withdrawn, as noted in https://rustsec.org/advisories/RUSTSEC-2025-0007.html: > After this advisory was published, the author graciously agreed > to give access to the rustls team. The rustls team is committed > to providing security (only) maintenance for *ring* for the > foreseeable future. It is no longer necessary to list that advisory as ignored. This reverts commit 0e9299c.
`cargo deny` warns about `sdd` 3.0.4 being yanked. This upgrades it to 3.0.7. https://github.com/wvwwvwwv/scalable-delayed-dealloc/blob/main/CHANGELOG.md describes 3.0.7 as "Fix a use-after-free issue when thread-local storage is dropped." This seems worth bumping the version to in Cargo.lock to be received in `--locked` builds.
`cargo deny` warns about the use of `scc` 2.2.5, which is yanked. https://github.com/wvwwvwwv/scalable-concurrent-containers/blob/main/CHANGELOG.md notes that `scc` 2.0.0 to 2.3.0 (inclusive) were affected by wvwwvwwv/scalable-concurrent-containers#176 and yanked for that reason. This upgrades to a non-yanked version where that use-after-free bug is fixed.
`cargo deny` warned that "Unicode-DFS-2016" appeared in the list of allowed licenses but was not used by any dependency. This list had both "Unicode-3.0" and "Unicode-DFS-2016". Possibly relevant is that `unicode-ident` updated its license in 1.0.14 (dtolnay/unicode-ident#28), changing from "Unicode-DFS-2016" to "Unicode-3.0". The "Unicode-3.0" license was added to `deny.toml` in 5173e9a (GitoxideLabs#1668), but "Unicode-DFS-2016" was not removed at that time. It looks like some Unicode-related packages still used that license at that time. But it does not seem to be needed here anymore.
Byron
approved these changes
Feb 26, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This removes RUSTSEC-2025-0007 as an allowed advisory since it has been withdrawn and therefore need no longer be listed, updates the versions of two
Cargo.lockdependencies that have been yanked and whose updated versions fix what seem to be soundness bugs, and removes the old Unicode license from the allow list now that no dependencies use it. See commit messages for full details.