Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions .cargo/audit.toml
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,12 @@
[advisories]
ignore = [
# "RUSTSEC-0000-0000", # 2026-01-01: not exploitable — affected API unused; fix tracked at <url>
# 2026-07-04: quick-xml 0.38.4 DoS advisories (quadratic dup-attr check / unbounded ns alloc).
# Transitive via tauri/tauri-plugin/tauri-codegen → plist → quick-xml; patched quick-xml is
# >=0.41.0 but the newest plist (1.9.0) still pins ^0.39.2, so NO upgrade path exists today.
# Not exploitable here: plist parses the app's own Apple property-list config at build/dev
# time, never attacker-controlled input, and Victauri is a debug-builds-only dev tool.
# Remove both ids when plist releases quick-xml>=0.41 support and tauri picks it up.
"RUSTSEC-2026-0194",
"RUSTSEC-2026-0195",
]
9 changes: 8 additions & 1 deletion deny.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,14 @@
# Vulnerabilities are denied by default in cargo-deny; these tighten the rest (audit #10).
unmaintained = "workspace"
yanked = "deny"
ignore = []
ignore = [
# 2026-07-04: quick-xml 0.38.4 DoS advisories — transitive via tauri -> plist; patched
# quick-xml is >=0.41.0 but the newest plist (1.9.0) pins ^0.39.2, so no upgrade path
# exists today. Build/dev-time parsing of the app's own plists, not attacker input.
# Mirror of .cargo/audit.toml (both files must agree to unblock a release).
"RUSTSEC-2026-0194",
"RUSTSEC-2026-0195",
]

[licenses]
allow = [
Expand Down
Loading