ci: stop weekly security-audit failures from unmaintained transitive deps#16
Merged
Merged
Conversation
…deps The Security Audit workflow failed every week because cargo-deny flagged new "unmaintained" advisories on deep transitive build dependencies (proc-macro-error2, paste, fxhash, custom_derive via getset -> bio) that have no safe upgrade and pose no real risk for a CLI. Each new advisory required adding another RUSTSEC id to the ignore list. Fix the class instead of individual ids: - deny.toml: set advisories.unmaintained = "workspace" so only direct dependencies are checked for unmaintained status; drop the per-id ignore list. Vulnerabilities and unsound advisories still fail the check. - security.yml: run on schedule + manual dispatch only (no longer on every push/PR, so an unmaintained advisory can't block a merge), and use a single `cargo deny check` instead of the overlapping cargo-audit step plus the slow, non-failing cargo-outdated step. Verified locally with cargo-deny 0.19.7: advisories ok, bans ok, licenses ok, sources ok. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The weekly Security Audit has failed continuously because
cargo deny checkflags new unmaintained advisories on deep transitive build dependencies (proc-macro-error2,paste,fxhash,custom_deriveviagetset → bio). These have no safe upgrade and pose no real risk for a CLI, so every new advisory meant adding anotherRUSTSEC-…id to the ignore list.Change
advisories.unmaintained = "workspace"so unmaintained status is only checked for direct dependencies, not deep transitive build crates. Drops the per-id ignore churn. Vulnerabilities and unsound advisories still fail the check.push/pull_request, so an unmaintained advisory can no longer block a merge); replaced the overlappingcargo auditstep and the slow non-failingcargo-outdatedstep with a singlecargo deny check.Verification
Local
cargo-deny 0.19.7(matches CI pin):advisories ok, bans ok, licenses ok, sources ok.🤖 Generated with Claude Code