From f5714902e50a1c8b646104de5947df2edcd167ef Mon Sep 17 00:00:00 2001 From: antony Date: Sat, 4 Jul 2026 13:24:35 +1000 Subject: [PATCH] =?UTF-8?q?ci:=20ignore=20RUSTSEC-2026-0194/0195=20(quick-?= =?UTF-8?q?xml=20via=20tauri=E2=86=92plist)=20=E2=80=94=20no=20upstream=20?= =?UTF-8?q?path=20yet?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two 2026-06-29 advisories against transitive quick-xml 0.38.4 (quadratic duplicate-attribute check + unbounded namespace allocation, both DoS-class) turned CI red on every branch through no change of ours. Patched quick-xml is >=0.41.0, but the newest plist (1.9.0) still pins ^0.39.2, so no dependency bump can reach the fix today. Risk accepted with justification (dated, in both files per the documented protocol): plist parses the app's OWN Apple property-list config at build/dev time — never attacker-controlled input — and Victauri is a debug-builds-only dev tool. Remove both ids when plist supports quick-xml>=0.41 and tauri picks it up. Co-Authored-By: Claude Fable 5 Claude-Session: https://claude.ai/code/session_01CsePmfHDMBKRNDLNb3TLD5 --- .cargo/audit.toml | 8 ++++++++ deny.toml | 9 ++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/.cargo/audit.toml b/.cargo/audit.toml index 5909951..c043fff 100644 --- a/.cargo/audit.toml +++ b/.cargo/audit.toml @@ -10,4 +10,12 @@ [advisories] ignore = [ # "RUSTSEC-0000-0000", # 2026-01-01: not exploitable — affected API unused; fix tracked at + # 2026-07-04: quick-xml 0.38.4 DoS advisories (quadratic dup-attr check / unbounded ns alloc). + # Transitive via tauri/tauri-plugin/tauri-codegen → plist → quick-xml; patched quick-xml is + # >=0.41.0 but the newest plist (1.9.0) still pins ^0.39.2, so NO upgrade path exists today. + # Not exploitable here: plist parses the app's own Apple property-list config at build/dev + # time, never attacker-controlled input, and Victauri is a debug-builds-only dev tool. + # Remove both ids when plist releases quick-xml>=0.41 support and tauri picks it up. + "RUSTSEC-2026-0194", + "RUSTSEC-2026-0195", ] diff --git a/deny.toml b/deny.toml index 2b9b13f..6c2607d 100644 --- a/deny.toml +++ b/deny.toml @@ -2,7 +2,14 @@ # Vulnerabilities are denied by default in cargo-deny; these tighten the rest (audit #10). unmaintained = "workspace" yanked = "deny" -ignore = [] +ignore = [ + # 2026-07-04: quick-xml 0.38.4 DoS advisories — transitive via tauri -> plist; patched + # quick-xml is >=0.41.0 but the newest plist (1.9.0) pins ^0.39.2, so no upgrade path + # exists today. Build/dev-time parsing of the app's own plists, not attacker input. + # Mirror of .cargo/audit.toml (both files must agree to unblock a release). + "RUSTSEC-2026-0194", + "RUSTSEC-2026-0195", +] [licenses] allow = [