chore(security): ignore known RustSec advisories pending upstream fixes (#97)

MdTeach · web-flow · commit d5b46312a55e · 2026-01-27T10:57:21.000Z
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -34,8 +34,8 @@ jobs:
         run: cargo install cargo-audit --force --locked
 
       - name: Check for audit warnings
-        run: cargo audit -D warnings
+        run: cargo audit -D warnings --file audit.toml
         continue-on-error: true
 
       - name: Check for vulnerabilities
-        run: cargo audit
+        run: cargo audit --file audit.toml
diff --git a/audit.toml b/audit.toml
@@ -0,0 +1,14 @@
+[advisories]
+ignore = [
+    # RUSTSEC-2023-0071 (rsa 0.9.8)
+    # Pulled in via risc0 / rzup.
+    # No fixed upgrade available as of now.
+    # Revisit when risc0 updates its crypto dependencies.
+    "RUSTSEC-2023-0071",
+
+    # RUSTSEC-2025-0055 (tracing-subscriber 0.2.25)
+    # Pulled in via ark-relations.
+    # Upgrade blocked until upstream bumps tracing-subscriber >= 0.3.20.
+    # Low risk: affects ANSI escape sequences in logs only.
+    "RUSTSEC-2025-0055",
+]
