cargo audit warning

[pykello]

Describe the bug

Starting today, cargo audit of packages dependent on aws-sdk-s3 1.119.0 fail, because it's dependent on lru 0.12.5

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

Doesn't throw a warning.

Current Behavior

$ cargo audit --ignore RUSTSEC-2020-0071 --ignore RUSTSEC-2020-0159 --ignore RUSTSEC-2021-0127
Crate: lru
Version: 0.12.5
Warning: unsound
Title: IterMut violates Stacked Borrows by invalidating internal pointer
Date: 2026-01-07
ID: RUSTSEC-2026-0002
URL: https://rustsec.org/advisories/RUSTSEC-2026-0002
Dependency tree:
lru 0.12.5
└── aws-sdk-s3 1.119.0

Reproduction Steps

Same command used in .github/workflows/audit.yaml:

$ cargo audit --ignore RUSTSEC-2020-0071 --ignore RUSTSEC-2020-0159 --ignore RUSTSEC-2021-0127

Possible Solution

No response

Additional Information/Context

No response

Version

aws-sdk-s3 v1.119.0

Environment details (OS name and version, etc.)

Ubuntu 24.04

Logs

No response

[aajtodd]

smithy-lang/smithy-rs#4470

[runruh-godaddy]

https://github.com/awslabs/aws-sdk-rust/blob/main/sdk/s3/Cargo.toml#L102

[jayvdb]

@runruh-godaddy , that line is generated, and will get updated when someone does a PR here like #1385

[BatmanAoD]

@jayvdb The dependency versions are generated? What is the source of truth for the dependency versions to use?

[jayvdb]

Yes, see smithy-lang/smithy-rs#4470 for all the details.

[BatmanAoD]

Like this? #1397

[aajtodd]

This will go out once we release smithy-rs (sometime this week).