The Security audit job in .github/workflows/ci-grey.yml is failing on master since 2026-04-10 because new RUSTSEC advisories have been published against crates in Cargo.lock. This blocks all PR merges (the merge workflow waits for CI).
Failing advisories
Errors (vulnerabilities):
- RUSTSEC-2026-0098 — "Name constraints for URI names were incorrectly accepted" (rustls-webpki or similar)
- RUSTSEC-2026-0099 — "Name constraints were accepted for certificates asserting a wildcard name"
Warnings (currently not failing but worth tracking):
- RUSTSEC-2024-0384 —
instant is unmaintained
- RUSTSEC-2024-0436 —
paste no longer maintained
- RUSTSEC-2026-0002 —
IterMut violates Stacked Borrows
- RUSTSEC-2026-0097 — Rand unsound with custom logger
Current ignore list
.github/workflows/ci-grey.yml currently ignores:
--ignore RUSTSEC-2025-0009 --ignore RUSTSEC-2025-0010
Fix options
- Update dependencies — bump
rustls-webpki, webpki, etc. to patched versions. Preferred, actually fixes the vulnerability.
- Add ignores — extend
--ignore list. Only if the vulnerable code paths are not reached (needs per-advisory justification).
Evidence
Example failing run on PR #721: https://github.com/jarchain/jar/actions/runs/24615098269/job/71975913147
Last successful ci-grey on master: run 24247573136 (2026-04-10).
Why it matters
The
Security auditjob in.github/workflows/ci-grey.ymlis failing on master since 2026-04-10 because new RUSTSEC advisories have been published against crates inCargo.lock. This blocks all PR merges (the merge workflow waits for CI).Failing advisories
Errors (vulnerabilities):
Warnings (currently not failing but worth tracking):
instantis unmaintainedpasteno longer maintainedIterMutviolates Stacked BorrowsCurrent ignore list
.github/workflows/ci-grey.ymlcurrently ignores:Fix options
rustls-webpki,webpki, etc. to patched versions. Preferred, actually fixes the vulnerability.--ignorelist. Only if the vulnerable code paths are not reached (needs per-advisory justification).Evidence
Example failing run on PR #721: https://github.com/jarchain/jar/actions/runs/24615098269/job/71975913147
Last successful
ci-greyon master: run 24247573136 (2026-04-10).Why it matters
Security audit: failgenesis-merge.ymlwaits for CI viagh pr checks --watch --fail-fast, so merges cannot complete even on quorum