-
Notifications
You must be signed in to change notification settings - Fork 85
Expand file tree
/
Copy pathaudit.toml
More file actions
35 lines (31 loc) · 1.49 KB
/
audit.toml
File metadata and controls
35 lines (31 loc) · 1.49 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# cargo-audit configuration
# Documents accepted transitive dependency advisories that cannot be resolved
# without upstream crate releases.
#
# Last reviewed: 2026-02-10
[advisories]
# Transitive advisories we acknowledge but cannot fix at the dependency level.
# Each entry documents WHY it's accepted and WHEN to revisit.
ignore = [
# lru 0.12.5 unsound IterMut — transitive via tantivy 0.25.0.
# tantivy main branch already bumped to lru 0.16.3 (commit 947c0d5f);
# tantivy 0.25.0 only uses LruCache::{new,get,put}, never iter_mut(),
# so the unsound code path is unreachable in practice.
# Revisit: upgrade when tantivy 0.26+ publishes.
"RUSTSEC-2026-0002",
# bincode 1.3.3 unmaintained — transitive via syntect 5.3.0 and hnsw_rs 0.3.2.
# Both upstream crates use bincode for internal serialization.
# No direct exposure in our code. No maintained drop-in replacement available
# for these upstreams yet.
# Revisit: check syntect and hnsw_rs releases periodically.
"RUSTSEC-2025-0141",
# paste 1.0.15 unmaintained — transitive via fastembed → tokenizers 0.22.2.
# Proc-macro crate used at compile time only; no runtime risk.
# Revisit: check fastembed/tokenizers releases.
"RUSTSEC-2024-0436",
# yaml-rust 0.4.5 unmaintained — transitive via syntect 5.3.0.
# syntect uses it internally for theme/syntax parsing.
# yaml-rust2 exists but syntect hasn't migrated yet.
# Revisit: check syntect releases.
"RUSTSEC-2024-0320",
]