fix(security): upgrade deps and enforce security audit workflow

- Upgrade bytes 1.11.0 → 1.11.1 (RUSTSEC-2026-0007 integer overflow)
- Upgrade time 0.3.46 → 0.3.47 (RUSTSEC-2026-0009 DoS stack exhaustion)
- Upgrade git2 0.20.3 → 0.20.4 (RUSTSEC-2026-0008 undefined behavior)
- Upgrade keccak 0.1.5 → 0.1.6 (RUSTSEC-2026-0012 unsoundness)
- Add ignore rules in deny.toml for unfixable upstream advisories
  (wasmtime 37.x, rsa, tracing-subscriber 0.2.x, lru)
- Remove continue-on-error from security-audit workflow — audit is now
  enforced and will block CI on new unignored vulnerabilities

.github/workflows/security-audit.yml

@@ -26,9 +26,6 @@ jobs:
     needs: isdraft
     runs-on: ubuntu-latest
     timeout-minutes: 30
-    # Informational: surfaces issues without blocking CI.
-    # Remove continue-on-error once all findings are addressed.
-    continue-on-error: true
     strategy:
       matrix:
         checks:
@@ -45,9 +42,6 @@ jobs:
     needs: isdraft
     runs-on: ubuntu-latest
     timeout-minutes: 30
-    # Informational: surfaces vulnerabilities without blocking CI.
-    # Remove continue-on-error once all advisories are resolved or ignored.
-    continue-on-error: true
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install cargo-audit
@@ -55,12 +49,20 @@ jobs:
       - name: Run cargo audit
         run: |
           echo "## Cargo Audit Results" >> $GITHUB_STEP_SUMMARY
-          cargo audit 2>&1 | tee audit-output.txt
+          # Ignored advisories: upstream transitive deps with no available fix.
+          # Review quarterly and remove ignores when patches become available.
+          cargo audit \
+            --ignore RUSTSEC-2026-0006 \
+            --ignore RUSTSEC-2026-0020 \
+            --ignore RUSTSEC-2026-0021 \
+            --ignore RUSTSEC-2023-0071 \
+            --ignore RUSTSEC-2025-0055 \
+            --ignore RUSTSEC-2026-0002 \
+            2>&1 | tee audit-output.txt
           RESULT=${PIPESTATUS[0]}
           if [ $RESULT -ne 0 ]; then
             echo "### Vulnerabilities found" >> $GITHUB_STEP_SUMMARY
             echo '```' >> $GITHUB_STEP_SUMMARY
-            # Truncate output to avoid GITHUB_STEP_SUMMARY 1MB limit
             head -500 audit-output.txt >> $GITHUB_STEP_SUMMARY
             if [ "$(wc -l < audit-output.txt)" -gt 500 ]; then
               echo "... (truncated, see full output in job logs)" >> $GITHUB_STEP_SUMMARY
@@ -81,9 +83,9 @@ jobs:
           tee resultfile <<< '${{ toJSON(needs) }}'
           FAILURES=$(cat resultfile | grep '"result": "failure"' | wc -l)
           if [ $FAILURES -gt 0 ]; then
-            echo "### Security audit found issues - review needed" >> $GITHUB_STEP_SUMMARY
-            echo "Note: Security audit is currently informational (continue-on-error)." >> $GITHUB_STEP_SUMMARY
+            echo "### Security audit FAILED" >> $GITHUB_STEP_SUMMARY
             echo "Review the cargo-deny and cargo-audit job outputs for details." >> $GITHUB_STEP_SUMMARY
+            exit 1
           else
             echo '### All security audits passed' >> $GITHUB_STEP_SUMMARY
           fi

Cargo.lock

@@ -2590,9 +2590,9 @@ checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
 
 [[package]]
 name = "bytes"
-version = "1.11.0"
+version = "1.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b35204fbdc0b3f4446b89fc1ac2cf84a8a68971995d0bf2e925ec7cd960f9cb3"
+checksum = "1e748733b7cbc798e1434b6ac524f0c1ff2ab456fe201501e6497c8417a4fc33"
 dependencies = [
  "serde",
 ]
@@ -4092,7 +4092,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7ab67060fc6b8ef687992d439ca0fa36e7ed17e9a0b16b25b601e8757df720de"
 dependencies = [
  "data-encoding",
- "syn 2.0.114",
+ "syn 1.0.109",
 ]
 
 [[package]]
@@ -4369,7 +4369,7 @@ checksum = "6738d2e996274e499bc7b0d693c858b7720b9cd2543a0643a3087e6cb0a4fa16"
 dependencies = [
  "cfg-if",
  "libc",
- "windows-sys 0.61.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -4794,7 +4794,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
 dependencies = [
  "libc",
- "windows-sys 0.61.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -5553,9 +5553,9 @@ dependencies = [
 
 [[package]]
 name = "git2"
-version = "0.20.3"
+version = "0.20.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3e2b37e2f62729cdada11f0e6b3b6fe383c69c29fc619e391223e12856af308c"
+checksum = "7b88256088d75a56f8ecfa070513a775dd9107f6530ef14919dac831af9cfe2b"
 dependencies = [
  "bitflags 2.10.0",
  "libc",
@@ -6607,7 +6607,7 @@ checksum = "3640c1c38b8e4e43584d8df18be5fc6b0aa314ce6ebf51b53313d4306cca8e46"
 dependencies = [
  "hermit-abi",
  "libc",
- "windows-sys 0.61.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -7026,9 +7026,9 @@ dependencies = [
 
 [[package]]
 name = "keccak"
-version = "0.1.5"
+version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ecc2af9a1119c51f12a14607e783cb977bde58bc069ff0c3da1095e635d70654"
+checksum = "cb26cec98cce3a3d96cbb7bced3c4b16e3d13f27ec56dbd62cbc8f39cfb9d653"
 dependencies = [
  "cpufeatures",
 ]
@@ -8612,7 +8612,7 @@ version = "0.50.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
 dependencies = [
- "windows-sys 0.61.2",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -8939,7 +8939,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7d8fae84b431384b68627d0f9b3b1245fcf9f46f6c0e3dc902e9dce64edd1967"
 dependencies = [
  "libc",
- "windows-sys 0.61.2",
+ "windows-sys 0.45.0",
 ]
 
 [[package]]
@@ -22356,8 +22356,8 @@ version = "0.13.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "be769465445e8c1474e9c5dac2018218498557af32d9ed057325ec9a41ae81bf"
 dependencies = [
- "heck 0.5.0",
- "itertools 0.14.0",
+ "heck 0.4.1",
+ "itertools 0.10.5",
  "log",
  "multimap",
  "once_cell",
@@ -22376,8 +22376,8 @@ version = "0.14.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "343d3bd7056eda839b03204e68deff7d1b13aba7af2b2fd16890697274262ee7"
 dependencies = [
- "heck 0.5.0",
- "itertools 0.14.0",
+ "heck 0.4.1",
+ "itertools 0.10.5",
  "log",
  "multimap",
  "petgraph 0.8.3",
@@ -22422,7 +22422,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8a56d757972c98b346a9b766e3f02746cde6dd1cd1d1d563472929fdd74bec4d"
 dependencies = [
  "anyhow",
- "itertools 0.14.0",
+ "itertools 0.10.5",
  "proc-macro2 1.0.106",
  "quote 1.0.44",
  "syn 2.0.114",
@@ -22435,7 +22435,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "27c6023962132f4b30eb4c172c91ce92d933da334c59c23cddee82358ddafb0b"
 dependencies = [
  "anyhow",
- "itertools 0.14.0",
+ "itertools 0.10.5",
  "proc-macro2 1.0.106",
  "quote 1.0.44",
  "syn 2.0.114",
@@ -22629,7 +22629,7 @@ dependencies = [
  "once_cell",
  "socket2 0.6.2",
  "tracing",
- "windows-sys 0.60.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -23555,7 +23555,7 @@ dependencies = [
  "errno",
  "libc",
  "linux-raw-sys 0.11.0",
- "windows-sys 0.61.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -25456,7 +25456,7 @@ dependencies = [
  "getrandom 0.3.4",
  "once_cell",
  "rustix 1.1.3",
- "windows-sys 0.61.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -25864,9 +25864,9 @@ dependencies = [
 
 [[package]]
 name = "time"
-version = "0.3.46"
+version = "0.3.47"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9da98b7d9b7dad93488a84b8248efc35352b0b2657397d4167e7ad67e5d535e5"
+checksum = "743bd48c283afc0388f9b8827b976905fb217ad9e647fae3a379a9283c4def2c"
 dependencies = [
  "deranged",
  "itoa",
@@ -25887,9 +25887,9 @@ checksum = "7694e1cfe791f8d31026952abf09c69ca6f6fa4e1a1229e18988f06a04a12dca"
 
 [[package]]
 name = "time-macros"
-version = "0.2.26"
+version = "0.2.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "78cc610bac2dcee56805c99642447d4c5dbde4d01f752ffea0199aee1f601dc4"
+checksum = "2e70e4c5a0e0a8a4823ad65dfe1a6930e4f4d756dcd9dd7939022b5e8c501215"
 dependencies = [
  "num-conv",
  "time-core",
@@ -27562,7 +27562,7 @@ version = "0.1.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
 dependencies = [
- "windows-sys 0.61.2",
+ "windows-sys 0.48.0",
 ]
 
 [[package]]

deny.toml

@@ -18,8 +18,23 @@ exclude = ["bizinikiwi-test-runtime-transaction-pool"]
 yanked = "warn"
 unmaintained = "workspace"
 ignore = [
-	# Add specific advisory IDs to ignore here with justification:
-	# "RUSTSEC-0000-0000", # reason for ignoring
+	# wasmtime 37.0.3: no patch release for 37.x branch. Upgrade to 41+ requires
+	# major API changes in pezsc-executor-wasmtime. Tracked for future major upgrade.
+	"RUSTSEC-2026-0006", # wasmtime segfault with f64.copysign on x86-64
+	"RUSTSEC-2026-0020", # wasmtime guest-controlled resource exhaustion
+	"RUSTSEC-2026-0021", # wasmtime panic in wasi:http/types.fields
+
+	# rsa 0.9.10: no upstream fix available. Pulled transitively by sqlx-mysql
+	# (used in pezpallet-revive-eth-rpc). Not used for cryptographic signing in our chain.
+	"RUSTSEC-2023-0071", # rsa Marvin Attack timing sidechannel
+
+	# tracing-subscriber 0.2.25: pulled by ark-relations 0.5.1 (latest).
+	# Upstream arkworks hasn't updated to tracing-subscriber 0.3.x yet.
+	"RUSTSEC-2025-0055", # tracing-subscriber ANSI log poisoning
+
+	# lru 0.12.5: IterMut Stacked Borrows violation. Pulled by smoldot-light.
+	# 0.12.5 is latest version, no patch available yet.
+	"RUSTSEC-2026-0002", # lru IterMut internal pointer invalidation
 ]
 
 # License compliance