diff --git a/.cargo/audit.toml b/.cargo/audit.toml new file mode 100644 index 0000000..e5cc873 --- /dev/null +++ b/.cargo/audit.toml @@ -0,0 +1,31 @@ +# cargo-audit / rustsec/audit-check@v2 configuration +# +# Each ignore MUST have a comment with (a) why it's ignored, (b) what would +# trigger re-evaluation. Audit this file every time we bump iroh or hickory. +# +# Last reviewed: 2026-05-05 (post-P-018 merge). + +[advisories] +ignore = [ + # ----- hickory-proto (transitive via iroh-relay → hickory-resolver) ----- + # + # RUSTSEC-2026-0119 — CPU exhaustion via O(n²) DNS name compression during + # message encoding. Fix available in hickory-proto >= 0.26.1, but iroh + # 0.97.x pins hickory-proto 0.25.x. Bumping iroh to a release that pulls + # hickory 0.26+ is tracked as CHORE-iroh-bump in BACKLOG.md. + # + # Threat-model note: would require an attacker who can return crafted + # DNS responses for iroh relay name resolution. Low realistic exposure + # for forgetty's solo-dogfood use case (LAN pairing); higher once + # external users pair devices over untrusted networks. + "RUSTSEC-2026-0119", + + # RUSTSEC-2026-0118 — NSEC3 closest-encloser proof validation enters an + # unbounded loop on cross-zone responses. NO upstream fix available + # (https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-3v94-mw7p-v465). + # Re-evaluate when hickory-dns ships a fix. + # + # Threat-model note: same as above — DNSSEC validation path during iroh + # relay resolution. + "RUSTSEC-2026-0118", +] diff --git a/Cargo.lock b/Cargo.lock index dc62b24..dfd775d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -969,7 +969,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb" dependencies = [ "libc", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] @@ -1445,7 +1445,7 @@ dependencies = [ "log", "rustversion", "windows-link 0.1.3", - "windows-result 0.4.1", + "windows-result 0.3.4", ] [[package]] @@ -1990,7 +1990,7 @@ dependencies = [ "js-sys", "log", "wasm-bindgen", - "windows-core 0.62.2", + "windows-core 0.61.2", ] [[package]] @@ -2391,7 +2391,7 @@ checksum = "3640c1c38b8e4e43584d8df18be5fc6b0aa314ce6ebf51b53313d4306cca8e46" dependencies = [ "hermit-abi", "libc", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] @@ -3617,9 +3617,9 @@ checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf" [[package]] name = "rand" -version = "0.9.2" +version = "0.9.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1" +checksum = "44c5af06bb1b7d3216d91932aed5265164bf384dc89cd6ba05cf59a35f5f76ea" dependencies = [ "rand_chacha", "rand_core", @@ -3827,7 +3827,7 @@ dependencies = [ "errno", "libc", "linux-raw-sys", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] @@ -3857,9 +3857,9 @@ dependencies = [ [[package]] name = "rustls-webpki" -version = "0.103.10" +version = "0.103.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef" +checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e" dependencies = [ "ring", "rustls-pki-types", @@ -3906,7 +3906,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5b55fb86dfd3a2f5f76ea78310a88f96c4ea21a3031f8d212443d56123fd0521" dependencies = [ "libc", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] @@ -4284,10 +4284,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd" dependencies = [ "fastrand", - "getrandom 0.3.4", + "getrandom 0.4.2", "once_cell", "rustix", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] @@ -5050,7 +5050,7 @@ version = "0.1.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22" dependencies = [ - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] @@ -5575,8 +5575,8 @@ dependencies = [ "log", "serde", "thiserror 2.0.18", - "windows 0.62.2", - "windows-core 0.62.2", + "windows 0.61.3", + "windows-core 0.61.2", ] [[package]]