Skip to content

chore(deps): cargo-deny advisories failing on main (anyhow, quick-xml, ttf-parser, wasmtime-wasi) #648

Description

@staging-devin-ai-integration

Skit / Lint (fmt + clippy) is failing on all PRs (and reproduces locally on main with cargo deny check advisories) due to newly published RUSTSEC advisories:

  • anyhow 1.0.102 — unsoundness in Error::downcast_mut() (fix: cargo update -p anyhow)
  • quick-xml 0.39.4 — two vulnerabilities: quadratic runtime on duplicate attribute names, unbounded namespace-declaration allocation in NsReader (via opendal-service-s3reqsign-aws-v4)
  • ttf-parser 0.21.1 — unmaintained (via fontdue)
  • wasmtime-wasi 46.0.0 — WASI hard links/renames bypass FilePerms (fix: upgrade to >=46.0.1)

None of these are introduced by any open PR; the advisory DB update flipped the check red repo-wide. Fixes are mostly cargo update -p <crate>; ttf-parser may need a fontdue bump or a temporary deny.toml ignore with rationale.

Observed on #638 (job 85115995371).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions