From 0c474640f534041bfca540644931aed8a0fca956 Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Tue, 25 Feb 2025 14:08:52 -0500 Subject: [PATCH 1/4] Revert "make auditing pass the hard way" In 0e9299c (#1854), RUSTSEC-2025-0007 was listed as ignored to let `cargo deny advisories` pass. That advisory has been withdrawn, as noted in https://rustsec.org/advisories/RUSTSEC-2025-0007.html: > After this advisory was published, the author graciously agreed > to give access to the rustls team. The rustls team is committed > to providing security (only) maintenance for *ring* for the > foreseeable future. It is no longer necessary to list that advisory as ignored. This reverts commit 0e9299c65e2fca1af734c5e94735920e5ffe6592. --- deny.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deny.toml b/deny.toml index 67b22b3e42d..d0c6a98beb1 100644 --- a/deny.toml +++ b/deny.toml @@ -8,7 +8,7 @@ # More documentation for the advisories section can be found here: # https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html [advisories] -ignore = ['RUSTSEC-2025-0007'] +ignore = [] From 00c1d02b4a94f164f67cd310ff0602f7c58f608d Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Tue, 25 Feb 2025 14:34:53 -0500 Subject: [PATCH 2/4] Bump sdd to 3.0.7 in Cargo.lock `cargo deny` warns about `sdd` 3.0.4 being yanked. This upgrades it to 3.0.7. https://github.com/wvwwvwwv/scalable-delayed-dealloc/blob/main/CHANGELOG.md describes 3.0.7 as "Fix a use-after-free issue when thread-local storage is dropped." This seems worth bumping the version to in Cargo.lock to be received in `--locked` builds. --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 90992bd2178..0ace4e00be5 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4676,9 +4676,9 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" [[package]] name = "sdd" -version = "3.0.4" +version = "3.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49c1eeaf4b6a87c7479688c6d52b9f1153cedd3c489300564f932b065c6eab95" +checksum = "b07779b9b918cc05650cb30f404d4d7835d26df37c235eded8a6832e2fb82cca" [[package]] name = "security-framework" From 401fb42bafc9285bdab179c4f64cd0aef944442e Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Tue, 25 Feb 2025 15:05:51 -0500 Subject: [PATCH 3/4] Bump scc to 2.3.3 in Cargo.lock `cargo deny` warns about the use of `scc` 2.2.5, which is yanked. https://github.com/wvwwvwwv/scalable-concurrent-containers/blob/main/CHANGELOG.md notes that `scc` 2.0.0 to 2.3.0 (inclusive) were affected by https://github.com/wvwwvwwv/scalable-concurrent-containers/issues/176 and yanked for that reason. This upgrades to a non-yanked version where that use-after-free bug is fixed. --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 0ace4e00be5..54e7f1f8c6b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4652,9 +4652,9 @@ dependencies = [ [[package]] name = "scc" -version = "2.2.5" +version = "2.3.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "66b202022bb57c049555430e11fc22fea12909276a80a4c3d368da36ac1d88ed" +checksum = "ea091f6cac2595aa38993f04f4ee692ed43757035c36e67c180b6828356385b1" dependencies = [ "sdd", ] From 9c708dbb02cfcb4acd498bf8672ac1afa9230b1d Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Tue, 25 Feb 2025 15:42:17 -0500 Subject: [PATCH 4/4] Drop unused "Unicode-DFS-2016" license from allowed list `cargo deny` warned that "Unicode-DFS-2016" appeared in the list of allowed licenses but was not used by any dependency. This list had both "Unicode-3.0" and "Unicode-DFS-2016". Possibly relevant is that `unicode-ident` updated its license in 1.0.14 (https://github.com/dtolnay/unicode-ident/pull/28), changing from "Unicode-DFS-2016" to "Unicode-3.0". The "Unicode-3.0" license was added to `deny.toml` in 5173e9a (#1668), but "Unicode-DFS-2016" was not removed at that time. It looks like some Unicode-related packages still used that license at that time. But it does not seem to be needed here anymore. --- deny.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/deny.toml b/deny.toml index d0c6a98beb1..1cb36a1f799 100644 --- a/deny.toml +++ b/deny.toml @@ -28,7 +28,6 @@ allow = [ "ISC", "LicenseRef-ring", "OpenSSL", - "Unicode-DFS-2016", "Zlib", "MPL-2.0", "Unicode-3.0"