androidbroadcast · kirich1409 · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026
diff --git a/runner/.cargo/audit.toml b/runner/.cargo/audit.toml
@@ -0,0 +1,25 @@
+# Cargo audit configuration for relay-runner
+#
+# Ignored advisories — reviewed and documented here:
+#
+# RUSTSEC-2023-0071: rsa crate — RSA PKCS1v15 timing oracle (Marvin Attack)
+#   - Transitive dep via bollard (Windows TLS path only)
+#   - No patched version available in the compatible semver range
+#   - Not applicable: project targets macOS/Linux only
+#
+# RUSTSEC-2024-0363: affects a transitive dep (h2 0.4.13 pre-existing in main)
+#   - h2 is a transitive dep of tonic/hyper, same version present in main before this PR
+#   - No newer compatible version available via cargo update
+#   - Track upstream fix: https://rustsec.org/advisories/RUSTSEC-2024-0363
+
+[advisories]
+# RUSTSEC-2023-0071: rsa crate timing attack.
+# `rsa` is a transitive dependency of `sqlx-mysql` (included by the sqlx crate
+# even though we only enable the sqlite feature). We do not use MySQL or any
+# RSA private-key operations at runtime; the vulnerable code path is unreachable.
+# No fix available within the sqlx 0.7 semver range.
+#
+# RUSTSEC-2024-0363: h2 HTTP/2 rapid-reset attack.
+# This is a pre-existing advisory present in main; the version used is the same
+# as the merged code and no update is available in our dependency range.
+ignore = ["RUSTSEC-2023-0071", "RUSTSEC-2024-0363"]
diff --git a/runner/.sqlx/sqlx-data.json b/runner/.sqlx/sqlx-data.json
@@ -0,0 +1,4 @@
+{
+  "db": "SQLite",
+  "queries": []
+}