Skip to content

ci: cargo-audit failing on new 2026 RUSTSEC advisories (blocks merges) #722

Description

@sorpaas

The Security audit job in .github/workflows/ci-grey.yml is failing on master since 2026-04-10 because new RUSTSEC advisories have been published against crates in Cargo.lock. This blocks all PR merges (the merge workflow waits for CI).

Failing advisories

Errors (vulnerabilities):

  • RUSTSEC-2026-0098 — "Name constraints for URI names were incorrectly accepted" (rustls-webpki or similar)
  • RUSTSEC-2026-0099 — "Name constraints were accepted for certificates asserting a wildcard name"

Warnings (currently not failing but worth tracking):

  • RUSTSEC-2024-0384 — instant is unmaintained
  • RUSTSEC-2024-0436 — paste no longer maintained
  • RUSTSEC-2026-0002 — IterMut violates Stacked Borrows
  • RUSTSEC-2026-0097 — Rand unsound with custom logger

Current ignore list

.github/workflows/ci-grey.yml currently ignores:

--ignore RUSTSEC-2025-0009 --ignore RUSTSEC-2025-0010

Fix options

  1. Update dependencies — bump rustls-webpki, webpki, etc. to patched versions. Preferred, actually fixes the vulnerability.
  2. Add ignores — extend --ignore list. Only if the vulnerable code paths are not reached (needs per-advisory justification).

Evidence

Example failing run on PR #721: https://github.com/jarchain/jar/actions/runs/24615098269/job/71975913147

Last successful ci-grey on master: run 24247573136 (2026-04-10).

Why it matters

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions