fix(security): update vulnerable dependencies, clean up deny.toml

Cargo.lock updates (cargo update):
- tar 0.4.44 -> 0.4.45 (RUSTSEC-2026-0067, RUSTSEC-2026-0068)
- rustls-webpki 0.103.9 -> 0.103.11 (RUSTSEC-2026-0049)
- tracing-subscriber 0.3.22 -> 0.3.23
- yamux 0.13.8 -> 0.13.10 (RUSTSEC-2024-0428 for 0.13.x branch)

deny.toml: remove fixed advisory ignores, add accurate tracking comments

Remaining known issues (cannot fix without toolchain/vendor upgrade):
- wasmtime 37.x: fix in 42.x requires rustc 1.91 (pinned to 1.88)
- yamux 0.12.1: locked by libp2p-yamux 0.47.0 in zombienet vendor

Cargo.lock

@@ -2316,7 +2316,7 @@ dependencies = [
  "tokio",
  "tokio-util",
  "tracing",
- "tracing-subscriber 0.3.22",
+ "tracing-subscriber 0.3.23",
 ]
 
 [[package]]
@@ -4092,7 +4092,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7ab67060fc6b8ef687992d439ca0fa36e7ed17e9a0b16b25b601e8757df720de"
 dependencies = [
  "data-encoding",
- "syn 1.0.109",
+ "syn 2.0.114",
 ]
 
 [[package]]
@@ -4369,7 +4369,7 @@ checksum = "6738d2e996274e499bc7b0d693c858b7720b9cd2543a0643a3087e6cb0a4fa16"
 dependencies = [
  "cfg-if",
  "libc",
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -4794,7 +4794,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
 dependencies = [
  "libc",
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -6607,7 +6607,7 @@ checksum = "3640c1c38b8e4e43584d8df18be5fc6b0aa314ce6ebf51b53313d4306cca8e46"
 dependencies = [
  "hermit-abi",
  "libc",
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -7640,7 +7640,7 @@ dependencies = [
  "rcgen",
  "ring",
  "rustls 0.23.36",
- "rustls-webpki 0.103.9",
+ "rustls-webpki 0.103.11",
  "thiserror 2.0.18",
  "x509-parser",
  "yasna",
@@ -7694,7 +7694,7 @@ dependencies = [
  "thiserror 2.0.18",
  "tracing",
  "yamux 0.12.1",
- "yamux 0.13.8",
+ "yamux 0.13.10",
 ]
 
 [[package]]
@@ -7917,7 +7917,7 @@ dependencies = [
  "url",
  "x25519-dalek",
  "x509-parser",
- "yamux 0.13.8",
+ "yamux 0.13.10",
  "yasna",
  "zeroize",
 ]
@@ -8612,7 +8612,7 @@ version = "0.50.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
 dependencies = [
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -8939,7 +8939,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7d8fae84b431384b68627d0f9b3b1245fcf9f46f6c0e3dc902e9dce64edd1967"
 dependencies = [
  "libc",
- "windows-sys 0.45.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -11269,7 +11269,7 @@ dependencies = [
  "pezsp-io",
  "pezsp-maybe-compressed-blob",
  "tracing",
- "tracing-subscriber 0.3.22",
+ "tracing-subscriber 0.3.23",
 ]
 
 [[package]]
@@ -11947,7 +11947,7 @@ dependencies = [
  "pezsp-runtime",
  "pezsp-statement-store",
  "tempfile",
- "tracing-subscriber 0.3.22",
+ "tracing-subscriber 0.3.23",
 ]
 
 [[package]]
@@ -14264,7 +14264,7 @@ dependencies = [
  "tokio-util",
  "tower 0.4.13",
  "tracing",
- "tracing-subscriber 0.3.22",
+ "tracing-subscriber 0.3.23",
  "url",
  "wasm-bindgen-futures",
  "web-time",
@@ -14696,7 +14696,7 @@ dependencies = [
  "pezkuwi-zombienet-support",
  "tokio",
  "tracing",
- "tracing-subscriber 0.3.22",
+ "tracing-subscriber 0.3.23",
 ]
 
 [[package]]
@@ -14810,7 +14810,7 @@ dependencies = [
  "pezkuwi-zombienet-support",
  "serde_json",
  "tokio",
- "tracing-subscriber 0.3.22",
+ "tracing-subscriber 0.3.23",
 ]
 
 [[package]]
@@ -19034,7 +19034,7 @@ dependencies = [
  "schnellru",
  "tempfile",
  "tracing",
- "tracing-subscriber 0.3.22",
+ "tracing-subscriber 0.3.23",
  "wat",
 ]
 
@@ -19812,7 +19812,7 @@ dependencies = [
  "thiserror 1.0.69",
  "tracing",
  "tracing-log",
- "tracing-subscriber 0.3.22",
+ "tracing-subscriber 0.3.23",
 ]
 
 [[package]]
@@ -19869,7 +19869,7 @@ dependencies = [
  "tokio",
  "tokio-stream",
  "tracing",
- "tracing-subscriber 0.3.22",
+ "tracing-subscriber 0.3.23",
 ]
 
 [[package]]
@@ -21221,7 +21221,7 @@ dependencies = [
  "regex",
  "tracing",
  "tracing-core",
- "tracing-subscriber 0.3.22",
+ "tracing-subscriber 0.3.23",
 ]
 
 [[package]]
@@ -22361,8 +22361,8 @@ version = "0.13.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "be769465445e8c1474e9c5dac2018218498557af32d9ed057325ec9a41ae81bf"
 dependencies = [
- "heck 0.4.1",
- "itertools 0.10.5",
+ "heck 0.5.0",
+ "itertools 0.14.0",
  "log",
  "multimap",
  "once_cell",
@@ -22381,8 +22381,8 @@ version = "0.14.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "343d3bd7056eda839b03204e68deff7d1b13aba7af2b2fd16890697274262ee7"
 dependencies = [
- "heck 0.4.1",
- "itertools 0.10.5",
+ "heck 0.5.0",
+ "itertools 0.14.0",
  "log",
  "multimap",
  "petgraph 0.8.3",
@@ -22427,7 +22427,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8a56d757972c98b346a9b766e3f02746cde6dd1cd1d1d563472929fdd74bec4d"
 dependencies = [
  "anyhow",
- "itertools 0.10.5",
+ "itertools 0.14.0",
  "proc-macro2 1.0.106",
  "quote 1.0.44",
  "syn 2.0.114",
@@ -22440,7 +22440,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "27c6023962132f4b30eb4c172c91ce92d933da334c59c23cddee82358ddafb0b"
 dependencies = [
  "anyhow",
- "itertools 0.10.5",
+ "itertools 0.14.0",
  "proc-macro2 1.0.106",
  "quote 1.0.44",
  "syn 2.0.114",
@@ -22634,7 +22634,7 @@ dependencies = [
  "once_cell",
  "socket2 0.6.2",
  "tracing",
- "windows-sys 0.59.0",
+ "windows-sys 0.60.2",
 ]
 
 [[package]]
@@ -23560,7 +23560,7 @@ dependencies = [
  "errno",
  "libc",
  "linux-raw-sys 0.11.0",
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -23585,7 +23585,7 @@ dependencies = [
  "once_cell",
  "ring",
  "rustls-pki-types",
- "rustls-webpki 0.103.9",
+ "rustls-webpki 0.103.11",
  "subtle 2.6.1",
  "zeroize",
 ]
@@ -23647,7 +23647,7 @@ dependencies = [
  "rustls 0.23.36",
  "rustls-native-certs 0.8.3",
  "rustls-platform-verifier-android",
- "rustls-webpki 0.103.9",
+ "rustls-webpki 0.103.11",
  "security-framework 3.5.1",
  "security-framework-sys",
  "webpki-root-certs 0.26.11",
@@ -23672,9 +23672,9 @@ dependencies = [
 
 [[package]]
 name = "rustls-webpki"
-version = "0.103.9"
+version = "0.103.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d7df23109aa6c1567d1c575b9952556388da57401e4ace1d15f79eedad0d8f53"
+checksum = "20a6af516fea4b20eccceaf166e8aa666ac996208e8a644ce3ef5aa783bc7cd4"
 dependencies = [
  "ring",
  "rustls-pki-types",
@@ -25430,9 +25430,9 @@ checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369"
 
 [[package]]
 name = "tar"
-version = "0.4.44"
+version = "0.4.45"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1d863878d212c87a19c1a610eb53bb01fe12951c0501cf5a0d65f724914a667a"
+checksum = "22692a6476a21fa75fdfc11d452fda482af402c008cdbaf3476414e122040973"
 dependencies = [
  "filetime",
  "libc",
@@ -25461,7 +25461,7 @@ dependencies = [
  "getrandom 0.3.4",
  "once_cell",
  "rustix 1.1.3",
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -25539,7 +25539,7 @@ checksum = "37d53ac171c92a39e4769491c4b4dde7022c60042254b5fc044ae409d34a24d4"
 dependencies = [
  "env_logger 0.11.8",
  "test-log-macros",
- "tracing-subscriber 0.3.22",
+ "tracing-subscriber 0.3.23",
 ]
 
 [[package]]
@@ -26369,9 +26369,9 @@ dependencies = [
 
 [[package]]
 name = "tracing-subscriber"
-version = "0.3.22"
+version = "0.3.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2f30143827ddab0d256fd843b7a66d164e9f271cfa0dde49142c5ca0ca291f1e"
+checksum = "cb7f578e5945fb242538965c2d0b04418d38ec25c79d160cd279bf0731c8d319"
 dependencies = [
  "chrono",
  "matchers",
@@ -27567,7 +27567,7 @@ version = "0.1.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
 dependencies = [
- "windows-sys 0.48.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -28311,9 +28311,9 @@ dependencies = [
 
 [[package]]
 name = "yamux"
-version = "0.13.8"
+version = "0.13.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "deab71f2e20691b4728b349c6cee8fc7223880fa67b6b4f92225ec32225447e5"
+checksum = "1991f6690292030e31b0144d73f5e8368936c58e45e7068254f7138b23b00672"
 dependencies = [
  "futures",
  "log",

deny.toml

@@ -20,29 +20,26 @@ yanked = "warn"
 # Track via quarterly review instead of blocking CI.
 unmaintained = "none"
 ignore = [
-	# wasmtime 37.0.3: no patch release for 37.x branch. Upgrade to 41+ requires
-	# major API changes in pezsc-executor-wasmtime. Tracked for future major upgrade.
+	# wasmtime 37.0.3: fix requires 42.0.2 but cranelift-assembler-x64 0.129+ needs
+	# rustc 1.91.0 — our toolchain is pinned to 1.88.0. Unblock by upgrading toolchain.
+	# Note: we do NOT use Winch backend or Component Model, so sandbox-escape CVEs
+	# (Winch/aarch64) and string-transcoding CVEs (Component Model) do not apply.
+	# Remaining real risk: pooling allocator data leakage (RUSTSEC-2026-0006).
 	"RUSTSEC-2026-0006", # wasmtime segfault with f64.copysign on x86-64
-	"RUSTSEC-2026-0020", # wasmtime guest-controlled resource exhaustion
+	"RUSTSEC-2026-0020", # wasmtime WASI guest-controlled resource exhaustion
 	"RUSTSEC-2026-0021", # wasmtime panic in wasi:http/types.fields
 
-	# rustls-webpki 0.101.7 & 0.103.9: pulled transitively by kube (0.87.2) and
-	# jsonrpsee (0.24.10). Fix requires >=0.103.10 but upstream hasn't released
-	# compatible versions of kube/jsonrpsee yet.
-	"RUSTSEC-2026-0049", # rustls-webpki certificate path building panic
-
 	# rsa 0.9.10: Marvin Attack timing sidechannel. Pulled transitively by
 	# sqlx-mysql (pezpallet-revive-eth-rpc). Not used for cryptographic signing.
 	"RUSTSEC-2023-0071", # rsa Marvin Attack
 
-	# tracing-subscriber 0.2.25: ANSI log poisoning. Pulled by ark-relations 0.5.1.
-	# Upstream arkworks hasn't updated to tracing-subscriber 0.3.x yet.
-	"RUSTSEC-2025-0055", # tracing-subscriber ANSI escape
+	# tracing-subscriber 0.2.25: ANSI log injection. Pulled by ark-relations 0.5.1.
+	# Our 0.3.x is updated to 0.3.23 (fixed). 0.2.x used only by arkworks internals.
+	"RUSTSEC-2025-0055", # tracing-subscriber ANSI escape (0.2.x, arkworks transitive)
 
-	# tar 0.4.44: link following + path traversal. Pulled transitively.
-	# No patch available for 0.4.x branch yet.
-	"RUSTSEC-2026-0067", # tar symlink path traversal
-	"RUSTSEC-2026-0068", # tar link following vulnerability
+	# yamux 0.12.1: libp2p-yamux 0.47.0 (vendor/pezkuwi-zombienet-sdk) pins to 0.12.x.
+	# Fix requires 0.13.10. Upgrade path: update libp2p in zombienet vendor.
+	"RUSTSEC-2024-0428", # yamux remote panic via malformed Data frame (< 0.13.10)
 ]
 
 # License compliance