Commit 5133512
committed
fix(security): ignore RUSTSEC-2026-0097 — not vulnerable in our usage
The recurring Cargo Deny failure (05-04, 04-27, 05-11, 05-13) was
RUSTSEC-2026-0097, an unsoundness advisory against rand 0.8.x. The
unsoundness only triggers when ALL of these conditions hold:
1. log + thread_rng features enabled on rand
2. A custom log::Log implementation is registered
3. The custom logger calls rand::rng() / rand::thread_rng() and
invokes TryRng methods on ThreadRng from inside the logger
4. ThreadRng reseeds (every ~64 KB) while called from the logger
Verified our codebase does not meet condition (2):
$ grep -rln "log::Log\|impl Log\|set_logger\|set_boxed_logger" crates/
(empty)
Our rand usage is straightforward (canary token generation, boundary
nonces, retry jitter, FPR calibration RNG, auth token randomness) —
none inside a logger.
Dependabot PR #197 captured the rand 0.8 → 0.9 migration but the
upgrade is a major version bump with breaking API changes. The
codebase doesn't compile against rand 0.9 without source edits we
don't currently need to make.
Closes the cargo-deny failure surfaced as the recurring Security
Audit red.1 parent ca28dd4 commit 5133512
1 file changed
Lines changed: 9 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
17 | 17 | | |
18 | 18 | | |
19 | 19 | | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
20 | 29 | | |
21 | 30 | | |
22 | 31 | | |
| |||
0 commit comments