Skip to content

ci(deny): wildcards deny, advisory tracking, document multi-version debt #8188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ConYel wants to merge 1 commit into
base: master
Choose a base branch
from
+48 −29
Open

ci(deny): wildcards deny, advisory tracking, document multi-version debt #8188

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 31 additions & 17 deletions .cargo/audit.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,38 @@
# cargo-audit configuration
# https://rustsec.org/
#
# Tracking: ALL ignores below need a tracking issue reference.
# Replace every `tracking TBD` with an actual issue URL once created.

[advisories]
ignore = [
"RUSTSEC-2026-0006", # wasmtime f64.copysign segfault on x86-64
"RUSTSEC-2026-0020", # WASI guest-controlled resource exhaustion
"RUSTSEC-2026-0021", # WASI http fields panic
"RUSTSEC-2026-0085", # panic when lifting `flags` component value
"RUSTSEC-2026-0086", # host data leakage with 64-bit tables and Winch
"RUSTSEC-2026-0087", # f64x2.splat Cranelift x86-64 segfault
"RUSTSEC-2026-0088", # data leakage between pooling allocator instances
"RUSTSEC-2026-0089", # Winch table.fill host panic
"RUSTSEC-2026-0091", # OOB write/crash transcoding component model strings
"RUSTSEC-2026-0092", # UTF-16 transcoding panic
"RUSTSEC-2026-0093", # heap OOB read in UTF-16 to latin1+utf16 transcoding
"RUSTSEC-2026-0094", # Winch table.grow improperly masked return value
"RUSTSEC-2026-0095", # Winch sandbox-escape (critical)
"RUSTSEC-2026-0096", # aarch64 Cranelift sandbox-escape (critical)
# ── wasmtime via extism 1.21.0 (14 advisories) ─────────────────────────
# extism 1.21.0 pins wasmtime 41.x; all CVEs fixed in wasmtime 42.0.2.
# plugins are feature-gated behind --features plugins-wasm. The critical
# aarch64 sandbox-escape CVEs require Winch backend (not in use).
"RUSTSEC-2026-0006", # wasmtime f64.copysign segfault on x86-64; tracking TBD
"RUSTSEC-2026-0020", # WASI guest-controlled resource exhaustion; tracking TBD
"RUSTSEC-2026-0021", # WASI http fields panic; tracking TBD
"RUSTSEC-2026-0085", # panic when lifting `flags` component value; tracking TBD
"RUSTSEC-2026-0086", # host data leakage with 64-bit tables and Winch; tracking TBD
"RUSTSEC-2026-0087", # f64x2.splat Cranelift x86-64 segfault; tracking TBD
"RUSTSEC-2026-0088", # data leakage between pooling allocator instances; tracking TBD
"RUSTSEC-2026-0089", # Winch table.fill host panic; tracking TBD
"RUSTSEC-2026-0091", # OOB write/crash transcoding component model strings; tracking TBD
"RUSTSEC-2026-0092", # UTF-16 transcoding panic; tracking TBD
"RUSTSEC-2026-0093", # heap OOB read in UTF-16 to latin1+utf16 transcoding; tracking TBD
"RUSTSEC-2026-0094", # Winch table.grow improperly masked return value; tracking TBD
"RUSTSEC-2026-0095", # Winch sandbox-escape (critical); tracking TBD
"RUSTSEC-2026-0096", # aarch64 Cranelift sandbox-escape (critical); tracking TBD

# ── instant (unmaintained) ──────────────────────────────────────────────
# informational advisory; transitive dep; tracking TBD
"RUSTSEC-2024-0384",
"RUSTSEC-2026-0049", # CRL matching bypass
"RUSTSEC-2026-0098", # URI name constraint incorrectly accepted (2026-04-14)
"RUSTSEC-2026-0099", # URI name constraint incorrectly accepted (2026-04-14)

# ── rustls-webpki via rumqttc v0.25.1 (old 0.102.x copy) ──────────────
# the 0.103.x copy in the rest of the tree is patched; awaiting rumqttc
# upgrade which will remove the old copy entirely.
"RUSTSEC-2026-0049", # CRL matching bypass; tracking TBD
"RUSTSEC-2026-0098", # URI name constraint incorrectly accepted; tracking TBD
"RUSTSEC-2026-0099", # URI name constraint incorrectly accepted; tracking TBD
]
29 changes: 17 additions & 12 deletions deny.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,17 +41,19 @@ ignore = [
# wasmtime 42+; plugins are feature-gated behind --features plugins-wasm;
# the critical aarch64 sandbox-escape CVEs require the Winch compiler backend
# which is not enabled in production (default Cranelift backend is unaffected)
{ id = "RUSTSEC-2026-0085", reason = "wasmtime flags component panic; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release" },
{ id = "RUSTSEC-2026-0086", reason = "wasmtime 64-bit table data leakage (Winch); extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release" },
{ id = "RUSTSEC-2026-0087", reason = "wasmtime f64x2.splat Cranelift segfault; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release" },
{ id = "RUSTSEC-2026-0088", reason = "wasmtime pooling allocator data leakage; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release" },
{ id = "RUSTSEC-2026-0089", reason = "wasmtime Winch table.fill panic; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release" },
{ id = "RUSTSEC-2026-0091", reason = "wasmtime OOB write transcoding strings; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release" },
{ id = "RUSTSEC-2026-0092", reason = "wasmtime UTF-16 transcoding panic; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release" },
{ id = "RUSTSEC-2026-0093", reason = "wasmtime heap OOB read UTF-16 transcoding; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release" },
{ id = "RUSTSEC-2026-0094", reason = "wasmtime Winch table.grow return value; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release" },
{ id = "RUSTSEC-2026-0095", reason = "wasmtime Winch aarch64 sandbox escape (critical); extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; Winch backend not used in production" },
{ id = "RUSTSEC-2026-0096", reason = "wasmtime Cranelift aarch64 sandbox escape (critical); extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; default Cranelift backend on x86-64 unaffected" },
# Tracking: TBD — replace TBD with a tracking issue number once created
# (extism/wasmtime upgrade tracker)
{ id = "RUSTSEC-2026-0085", reason = "wasmtime flags component panic; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; tracking TBD" },
{ id = "RUSTSEC-2026-0086", reason = "wasmtime 64-bit table data leakage (Winch); extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; tracking TBD" },
{ id = "RUSTSEC-2026-0087", reason = "wasmtime f64x2.splat Cranelift segfault; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; tracking TBD" },
{ id = "RUSTSEC-2026-0088", reason = "wasmtime pooling allocator data leakage; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; tracking TBD" },
{ id = "RUSTSEC-2026-0089", reason = "wasmtime Winch table.fill panic; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; tracking TBD" },
{ id = "RUSTSEC-2026-0091", reason = "wasmtime OOB write transcoding strings; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; tracking TBD" },
{ id = "RUSTSEC-2026-0092", reason = "wasmtime UTF-16 transcoding panic; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; tracking TBD" },
{ id = "RUSTSEC-2026-0093", reason = "wasmtime heap OOB read UTF-16 transcoding; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; tracking TBD" },
{ id = "RUSTSEC-2026-0094", reason = "wasmtime Winch table.grow return value; extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; tracking TBD" },
{ id = "RUSTSEC-2026-0095", reason = "wasmtime Winch aarch64 sandbox escape (critical); extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; Winch backend not used in production; tracking TBD" },
{ id = "RUSTSEC-2026-0096", reason = "wasmtime Cranelift aarch64 sandbox escape (critical); extism 1.21 pins wasmtime 41.x; fixed in wasmtime 42.0.2; awaiting extism release; default Cranelift backend on x86-64 unaffected; tracking TBD" },
]

[licenses]
Expand All @@ -76,8 +78,11 @@ allow = [
unused-allowed-license = "allow"

[bans]
# TODO: Change to "deny" once duplicate versions are resolved across the
# workspace (23 duplicates with default features as of 2026-06-22).
# Tracking: TBD — separate RFC/issue for dep cleanup.
multiple-versions = "warn"
wildcards = "allow"
wildcards = "deny"

[sources]
unknown-registry = "deny"
Expand Down