Skit / Lint (fmt + clippy) is failing on all PRs (and reproduces locally on main with cargo deny check advisories) due to newly published RUSTSEC advisories:
- anyhow 1.0.102 — unsoundness in
Error::downcast_mut() (fix: cargo update -p anyhow)
- quick-xml 0.39.4 — two vulnerabilities: quadratic runtime on duplicate attribute names, unbounded namespace-declaration allocation in
NsReader (via opendal-service-s3 → reqsign-aws-v4)
- ttf-parser 0.21.1 — unmaintained (via
fontdue)
- wasmtime-wasi 46.0.0 — WASI hard links/renames bypass
FilePerms (fix: upgrade to >=46.0.1)
None of these are introduced by any open PR; the advisory DB update flipped the check red repo-wide. Fixes are mostly cargo update -p <crate>; ttf-parser may need a fontdue bump or a temporary deny.toml ignore with rationale.
Observed on #638 (job 85115995371).
Skit / Lint (fmt + clippy)is failing on all PRs (and reproduces locally onmainwithcargo deny check advisories) due to newly published RUSTSEC advisories:Error::downcast_mut()(fix:cargo update -p anyhow)NsReader(viaopendal-service-s3→reqsign-aws-v4)fontdue)FilePerms(fix: upgrade to >=46.0.1)None of these are introduced by any open PR; the advisory DB update flipped the check red repo-wide. Fixes are mostly
cargo update -p <crate>;ttf-parsermay need afontduebump or a temporarydeny.tomlignore with rationale.Observed on #638 (job 85115995371).