From 6d2287b145cd1e54dcd4415b14ad5051af0a7c3d Mon Sep 17 00:00:00 2001 From: ygd58 Date: Thu, 26 Mar 2026 07:57:11 +0100 Subject: [PATCH] fix: improve security advisory descriptions in deny.toml Improves tracking comments for ignored advisories per #321: - RUSTSEC-2025-0055: clarify that tracing-subscriber is pulled transitively by ark-relations v0.4.0 and needs upstream fix - RUSTSEC-2025-0141: document bincode alternatives (postcard, bitcode, rkyv) Refs #321 --- .deny.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.deny.toml b/.deny.toml index ed628f09..34d4eb0b 100644 --- a/.deny.toml +++ b/.deny.toml @@ -10,8 +10,8 @@ ignore = [ { id = "RUSTSEC-2023-0071", reason = "Marvin Attack: potential key recovery through timing sidechannels" }, { id = "RUSTSEC-2024-0388", reason = "`derivative` is unmaintained; consider using an alternative. Use `cargo tree -p derivative -i > tmp.txt` to check the dependency tree." }, { id = "RUSTSEC-2024-0436", reason = "`paste` has a security vulnerability; consider using an alternative. Use `cargo tree -p paste -i > tmp.txt` to check the dependency tree." }, - { id = "RUSTSEC-2025-0055", reason = "`tracing-subscriber` v0.2.25 pulled in by ark-relations v0.4.0 - will be addressed before mainnet" }, - { id = "RUSTSEC-2025-0141", reason = "`bincode` is unmaintained but continuing to use it." }, + { id = "RUSTSEC-2025-0055", reason = "`tracing-subscriber` v0.2.25 pulled in transitively by ark-relations v0.4.0; fix requires ark-relations to upgrade to tracing-subscriber >=0.3.20. Tracked in #321." }, + { id = "RUSTSEC-2025-0141", reason = "`bincode` is permanently unmaintained; alternatives include postcard, bitcode, rkyv. Migration tracked in #321." }, { id = "RUSTSEC-2023-0089", reason = "atomic-polyfill is pulled transitively via risc0-zkvm; waiting on upstream fix (see https://github.com/risc0/risc0/issues/3453)" }, ] yanked = "deny"