From d8bf13d4d1f0eb0f40bd15839347493b2638bb0a Mon Sep 17 00:00:00 2001 From: Emil Ernerfeldt Date: Mon, 6 Jul 2026 19:46:00 -0700 Subject: [PATCH] Fix cargo deny failures Update crossbeam-epoch to 0.9.20 to fix RUSTSEC-2026-0204, and ignore three advisories with no upstream fix available: - RUSTSEC-2026-0192: ttf-parser is unmaintained (via ab_glyph) - RUSTSEC-2026-0194/0195: quick-xml issues; zbus_xml and wayland-scanner are both still on quick-xml < 0.41 Co-Authored-By: Claude Fable 5 --- Cargo.lock | 4 ++-- deny.toml | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 2085fa955..ad93f0e43 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1029,9 +1029,9 @@ dependencies = [ [[package]] name = "crossbeam-epoch" -version = "0.9.18" +version = "0.9.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5b82ac4a3c2ca9c3460964f020e1402edd5753411d7737aa39c3714ad1b5420e" +checksum = "2d6914041f254d6e9176c01941b21115dcfb7089e55135a35411081bd106ef3f" dependencies = [ "crossbeam-utils", ] diff --git a/deny.toml b/deny.toml index e926cdb19..7bab6f6f2 100644 --- a/deny.toml +++ b/deny.toml @@ -33,6 +33,9 @@ version = 2 ignore = [ "RUSTSEC-2024-0320", # unmaintained yaml-rust pulled in by syntect "RUSTSEC-2025-0141", # https://rustsec.org/advisories/RUSTSEC-2025-0141 - bincode is unmaintained - https://git.sr.ht/~stygianentity/bincode/tree/v3.0/item/README.md + "RUSTSEC-2026-0192", # ttf-parser is unmaintained - pulled in by ab_glyph via sctk-adwaita (Linux) - no replacement available + "RUSTSEC-2026-0194", # quick-xml quadratic run time on duplicate attribute check - transitive via zbus_xml and wayland-scanner (Linux only), which are both still on quick-xml < 0.41 + "RUSTSEC-2026-0195", # quick-xml NsReader memory exhaustion - transitive via zbus_xml and wayland-scanner (Linux only), which are both still on quick-xml < 0.41 ] [bans]