ci(deny): wildcards deny, advisory tracking, document multi-version debt#8188
ci(deny): wildcards deny, advisory tracking, document multi-version debt#8188ConYel wants to merge 1 commit into
Conversation
Phase 4 of RFC zeroclaw-labs#7675. deny.toml: - bans.wildcards: allow -> deny (clean, no wildcard deps exist) - bans.multiple-versions: stays warn with TODO documenting 23 duplicate versions in default features (needs separate cleanup) - Add tracking TBD to all 11 wasmtime advisory ignores .cargo/audit.toml: - Add structured comments grouping 18 ignores with tracking TBD on every entry (was completely undocumented before)
ConYel
requested review from
Audacity88,
WareWolf-MoonWall and
singlerider
as code owners
github-actions
Bot
added
the
dependencies
Audacity88
added
size: S
WareWolf-MoonWall
left a comment
WareWolf-MoonWall
left a comment
There was a problem hiding this comment.
Review β PR #8188 ci(deny): wildcards deny, advisory tracking, document multi-version debt
Author: ConYel
Head SHA: c07a435
Verdict: --approve
CI: 18/18 passing β
Active blocking reviews: None.
I reviewed the diff at c07a435, the full local deny.toml and the description of
.cargo/audit.toml, the existing advisory ignore rationale in both files, and the CI check
output. This is a config-hardening PR with no code changes. All three policy changes are
correct and CI confirms the workspace is clean against the tightened policy.
π’ wildcards = "deny" is safe and correct
The diff changes wildcards = "allow" to wildcards = "deny" in deny.toml's [bans]
section. The PR body says "Safe today (none exist)" β verified by CI passing the bans ok
check with the new setting. This prevents future * version requirements from slipping
through undetected. The tightening is exactly right: it enforces a policy that should already
have been in place.
π’ Advisory comments improve auditability significantly
Both deny.toml (wasmtime entries) and .cargo/audit.toml (all 18 entries) previously had
bare IDs or minimal comments with no tracking reference. The new format adds:
- Structured group headers (
ββ wasmtime via extism 1.21.0 (14 advisories) ββ) - Rationale for each ignore (affected version, fix version, gating condition)
tracking TBDplaceholder on every entry that lacks an issue
This makes it possible, for the first time, to audit which ignores can be dropped after an
upstream release. The "tracking TBD" format is a process placeholder, not enforcement β but
it is strictly better than the prior state.
π’ multiple-versions = "warn" deferral is correctly documented
The PR tested multiple-versions = "deny" locally, found 23 duplicate crate versions, and
left the value at "warn" with an explicit TODO and the count documented as of 2026-06-22.
This is the right decision: tightening to "deny" without cleaning up the duplicates would
break CI for everyone and should be done in a dedicated sprint. The deferral is intentional,
documented, and scoped.
π‘ Warning β "tracking TBD" entries have no enforcement mechanism
All 29 modified advisory ignores now carry tracking TBD instead of an actual issue URL.
The header comment says "Replace every tracking TBD with an actual issue URL once created."
Without a follow-up issue tracking the creation of these issues, this can silently stale for
months. Consider:
- Filing a single meta-issue titled "Create tracking issues for all cargo-deny / audit
ignores marked TBD" immediately after merge, and dropping its URL into the header comment. - Alternatively, adding a CI lint that fails if any
tracking TBDstring exists in
deny.tomlor.cargo/audit.tomlafter a grace period.
Neither is required before landing this PR, but without one the "tracking TBD" convention
risks becoming permanent boilerplate.
π‘ Warning β Advisory ignores in the deny.toml [advisories] section that were NOT
modified by this PR still lack tracking TBD
The PR updates the wasmtime entries in deny.toml. The pre-existing entries for
RUSTSEC-2025-0141 (bincode), RUSTSEC-2026-0097 (rand), RUSTSEC-2025-0134
(rustls-pemfile), RUSTSEC-2026-0104 (rustls-webpki CRL panic), and RUSTSEC-2024-0429
(glib) already had inline rationale in deny.toml and were not touched by this PR. They
now have a tracking story in deny.toml (inline reason text) but no tracking TBD marker
and no follow-up issue path. This inconsistency is a pre-existing condition and does not
block this PR, but should be addressed in the follow-up meta-issue above.
π΅ Suggestion β The count "23 duplicates with default features as of 2026-06-22" will become stale
The comment // 23 duplicates with default features as of 2026-06-22 is useful today but
will be wrong after any dependency bump. Consider phrasing it as:
# TODO: Change to "deny" once duplicate versions are resolved across the workspace.
# Last counted: 23 duplicates (default features, 2026-06-22). Run
# `cargo deny check bans 2>&1 | grep duplicate` to recount before re-attempting.
# Tracking: TBDThis gives the next engineer a command to run rather than an outdated number.
Template completeness
| Section | Status |
|---|---|
| Summary | β |
| Validation Evidence | β
(cargo deny check with expected output shown) |
| Security & Privacy | β |
| Compatibility | β
(wildcards = "deny" only fails CI on future violations) |
| Rollback | β (low risk, git revert) |
| No AI trailers | β |
| No bare string literals | β (config-only) |
3 participants
Summary
masterdeny.tomlwildcards:allowβdenyβ catches any future*version requirements. Safe today (none exist)..cargo/audit.toml: added structured comments andtracking TBDto all 18 advisory ignores β was completely undocumented, making it impossible to track when ignores can be removed.deny.tomlwasmtime ignores: addedtracking TBDto all 11 entries β same reason.deny.tomlmultiple-versions: left at"warn"with a TODO β tested"deny"locally and found 23 duplicate crate versions in the default feature set. Needs a separate dep cleanup sprint..cargo/audit.tomlanddeny.toml. No workflow changes, no code changes, no dependency bumps.cargo deny check/cargo audit. Tighter policy (wildcards = "deny") will fail CI if someone adds a*dep, which is the intended effect.multiple-versions = "deny"remains blocked and documented.Validation Evidence (required)
Tail output:
cargo deny checkβ full output showsadvisories ok, bans ok, licenses ok, sources okwith one expectedadvisory-not-detectedwarning forRUSTSEC-2026-0104(rustls-webpki CRL panic, only active behindchannel-mqttfeature).cargo deny checklocally (the CI job). Also verifiedRUSTSEC-2024-0384(instantunmaintained) by fetching the actual RustSec advisory page β real advisory, informational, no CVE.cargo fmt/cargo clippy/cargo testβ not applicable, config-only changes.Security & Privacy Impact
NoNoNoNoCompatibility
Yesβwildcards = "deny"only triggers if someone adds a*dep.Noβ same schema, same keys.Rollback
git revert <sha>β low risk, no data or state changes.