1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# cargo-audit configuration for CI (RustSec).
#
# Rationale: we want to block merges on known vulnerabilities in the *default* build,
# while being explicit about any temporary exceptions.
#
# Note: This repo includes optional database ingestion via ConnectorX (`db_connectorx`).
# ConnectorX pulls transitive unmaintained / informational advisories with no upstream fix
# without larger dependency/MSRV shifts. Polars / parquet also pull informational advisories
# (e.g. unmaintained `bincode`, `paste`) until upstream bumps land. Track removals in CHANGELOG.
[]
= [
# ConnectorX transitive; no fixed upgrade available.
"RUSTSEC-2022-0040",
# `time` DoS via stack exhaustion: fixed in >=0.3.47 which currently requires a newer Rust.
# Reached via ConnectorX → mysql_common → time.
"RUSTSEC-2026-0009",
# --- ConnectorX / SQL drivers (optional `db_connectorx`; still present in Cargo.lock) ---
"RUSTSEC-2021-0139", # ansi_term via bindgen → tiberius
"RUSTSEC-2024-0375", # atty unmaintained
"RUSTSEC-2021-0145", # atty unsound
"RUSTSEC-2021-0153", # encoding via tiberius
"RUSTSEC-2023-0067", # fehler
"RUSTSEC-2024-0384", # instant via parking_lot
"RUSTSEC-2026-0002", # lru via mysql
# --- Default build: Polars / parquet / object_store stack ---
"RUSTSEC-2025-0141", # bincode unmaintained (polars-utils)
"RUSTSEC-2024-0436", # paste unmaintained (parquet; also oracle when ConnectorX enabled)
# `rand`: informational unsound under narrow custom-logger conditions; reached via Polars and
# ConnectorX paths. Upstream rand patch levels are gated on ecosystem upgrades.
"RUSTSEC-2026-0097",
]
# Keep informational advisories visible in logs but do not fail CI on them by default.
= ["unmaintained", "unsound", "yanked"]
= "low"
[]
= []
= "terminal"
= false
= true