fix(security): add missing advisory ignores for cargo-audit + cargo-deny

Re-add RUSTSEC-2023-0071 (rsa) and RUSTSEC-2025-0055 (tracing-subscriber) which were incorrectly removed — they are still in transitive deps. Add new advisories: - RUSTSEC-2026-0067 (tar symlink traversal) — no 0.4.x patch available - RUSTSEC-2026-0068 (tar link following) — no 0.4.x patch available
2026-03-28 15:47:09 +03:00
parent fd197ae78f
commit a0607b420c
2 changed files with 17 additions and 0 deletions
@@ -57,6 +57,10 @@ jobs:
            --ignore RUSTSEC-2026-0020 \
            --ignore RUSTSEC-2026-0021 \
            --ignore RUSTSEC-2026-0049 \
+            --ignore RUSTSEC-2023-0071 \
+            --ignore RUSTSEC-2025-0055 \
+            --ignore RUSTSEC-2026-0067 \
+            --ignore RUSTSEC-2026-0068 \
            2>&1 | tee audit-output.txt
          RESULT=${PIPESTATUS[0]}
          if [ $RESULT -ne 0 ]; then
@@ -30,6 +30,19 @@ ignore = [
 	# jsonrpsee (0.24.10). Fix requires >=0.103.10 but upstream hasn't released
 	# compatible versions of kube/jsonrpsee yet.
 	"RUSTSEC-2026-0049", # rustls-webpki certificate path building panic
+
+	# rsa 0.9.10: Marvin Attack timing sidechannel. Pulled transitively by
+	# sqlx-mysql (pezpallet-revive-eth-rpc). Not used for cryptographic signing.
+	"RUSTSEC-2023-0071", # rsa Marvin Attack
+
+	# tracing-subscriber 0.2.25: ANSI log poisoning. Pulled by ark-relations 0.5.1.
+	# Upstream arkworks hasn't updated to tracing-subscriber 0.3.x yet.
+	"RUSTSEC-2025-0055", # tracing-subscriber ANSI escape
+
+	# tar 0.4.44: link following + path traversal. Pulled transitively.
+	# No patch available for 0.4.x branch yet.
+	"RUSTSEC-2026-0067", # tar symlink path traversal
+	"RUSTSEC-2026-0068", # tar link following vulnerability
 ]

 # License compliance