From fd197ae78fd067392f46ef4f33578e9c4c513e27 Mon Sep 17 00:00:00 2001 From: Kurdistan Tech Ministry Date: Fri, 27 Mar 2026 09:34:47 +0300 Subject: [PATCH] fix: presale benchmark missing args + security audit advisory cleanup - Fix refund_cancelled_presale benchmark: add missing start_index and batch_size arguments (0, 100) to match the 3-param extrinsic signature - Remove 3 stale RUSTSEC advisories from deny.toml and security-audit.yml (RUSTSEC-2023-0071, RUSTSEC-2025-0055, RUSTSEC-2026-0002 no longer in deps) - Add RUSTSEC-2026-0049 (rustls-webpki) to ignore lists (upstream kube/jsonrpsee haven't released compatible versions yet) --- .github/workflows/security-audit.yml | 4 +--- deny.toml | 15 ++++----------- .../pezpallets/presale/src/benchmarking.rs | 2 +- 3 files changed, 6 insertions(+), 15 deletions(-) diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml index 3a80c9b0..e8e34c14 100644 --- a/.github/workflows/security-audit.yml +++ b/.github/workflows/security-audit.yml @@ -56,9 +56,7 @@ jobs: --ignore RUSTSEC-2026-0006 \ --ignore RUSTSEC-2026-0020 \ --ignore RUSTSEC-2026-0021 \ - --ignore RUSTSEC-2023-0071 \ - --ignore RUSTSEC-2025-0055 \ - --ignore RUSTSEC-2026-0002 \ + --ignore RUSTSEC-2026-0049 \ 2>&1 | tee audit-output.txt RESULT=${PIPESTATUS[0]} if [ $RESULT -ne 0 ]; then diff --git a/deny.toml b/deny.toml index feeb63b7..0998bea9 100644 --- a/deny.toml +++ b/deny.toml @@ -26,17 +26,10 @@ ignore = [ "RUSTSEC-2026-0020", # wasmtime guest-controlled resource exhaustion "RUSTSEC-2026-0021", # wasmtime panic in wasi:http/types.fields - # rsa 0.9.10: no upstream fix available. Pulled transitively by sqlx-mysql - # (used in pezpallet-revive-eth-rpc). Not used for cryptographic signing in our chain. - "RUSTSEC-2023-0071", # rsa Marvin Attack timing sidechannel - - # tracing-subscriber 0.2.25: pulled by ark-relations 0.5.1 (latest). - # Upstream arkworks hasn't updated to tracing-subscriber 0.3.x yet. - "RUSTSEC-2025-0055", # tracing-subscriber ANSI log poisoning - - # lru 0.12.5: IterMut Stacked Borrows violation. Pulled by smoldot-light. - # 0.12.5 is latest version, no patch available yet. - "RUSTSEC-2026-0002", # lru IterMut internal pointer invalidation + # rustls-webpki 0.101.7 & 0.103.9: pulled transitively by kube (0.87.2) and + # jsonrpsee (0.24.10). Fix requires >=0.103.10 but upstream hasn't released + # compatible versions of kube/jsonrpsee yet. + "RUSTSEC-2026-0049", # rustls-webpki certificate path building panic ] # License compliance diff --git a/pezcumulus/teyrchains/pezpallets/presale/src/benchmarking.rs b/pezcumulus/teyrchains/pezpallets/presale/src/benchmarking.rs index 052aa27c..46ca5821 100644 --- a/pezcumulus/teyrchains/pezpallets/presale/src/benchmarking.rs +++ b/pezcumulus/teyrchains/pezpallets/presale/src/benchmarking.rs @@ -296,7 +296,7 @@ mod benchmarks { let _ = Presale::::cancel_presale(RawOrigin::Root.into(), presale_id); #[extrinsic_call] - refund_cancelled_presale(RawOrigin::Signed(caller.clone()), presale_id); + refund_cancelled_presale(RawOrigin::Signed(caller.clone()), presale_id, 0, 100); // Verify refund was processed let contribution = crate::Contributions::::get(presale_id, &caller).unwrap();