Context
rustls-pemfile 2.2.0 was marked unmaintained on 2025-11-28 (RUSTSEC-2025-0134) — the rustls project folded its PEM-parsing functionality into rustls-pki-types. This is informational, not a CVE.
Zenoh 1.9.0 pulls rustls-pemfile 2.2.0 transitively via:
rustls-pemfile 2.2.0
└── zenoh-link-tls 1.9.0
└── zenoh-link 1.9.0
├── zenoh-transport 1.9.0
└── zenoh 1.9.0
Question
Is migration to rustls-pki-types (or alternative) on the roadmap for an upcoming Zenoh minor? Downstream consumers running cargo audit are now seeing this advisory and adding it to their ignore lists, but ideally we'd remove the ignore once upstream migrates.
Why filing
We bumped from 1.0.4 → 1.9.0 today and want to track this for our 90-day pin re-evaluation cadence. Just looking for a roadmap pointer — no urgency since it's an unmaintained marker rather than a vulnerability.
Reference
Context
rustls-pemfile 2.2.0was marked unmaintained on 2025-11-28 (RUSTSEC-2025-0134) — the rustls project folded its PEM-parsing functionality intorustls-pki-types. This is informational, not a CVE.Zenoh 1.9.0 pulls
rustls-pemfile 2.2.0transitively via:Question
Is migration to
rustls-pki-types(or alternative) on the roadmap for an upcoming Zenoh minor? Downstream consumers runningcargo auditare now seeing this advisory and adding it to their ignore lists, but ideally we'd remove the ignore once upstream migrates.Why filing
We bumped from 1.0.4 → 1.9.0 today and want to track this for our 90-day pin re-evaluation cadence. Just looking for a roadmap pointer — no urgency since it's an unmaintained marker rather than a vulnerability.
Reference