Commit: 2f26d91 · Finding: DEP-03
Problem
Cargo.toml:13 pins bincode = "1" at workspace level, used in crates/transport, crates/state, crates/worker, crates/storage, crates/common. RUSTSEC-2025-0141 flags bincode 1.3.3 as unmaintained. No CVE today, but future malformed-input bugs won't be patched. Bincode 2.x has different semantics so migration is non-trivial and the cost grows with adoption.
Fix
Plan migration to bincode = "2" (or postcard for a no_std alternative). Gate behind a version byte in the event envelope so old archival data remains readable. Track as a dedicated epic; not safe to auto-PR.
Commit:
2f26d91· Finding:DEP-03Problem
Cargo.toml:13pinsbincode = "1"at workspace level, used incrates/transport,crates/state,crates/worker,crates/storage,crates/common. RUSTSEC-2025-0141 flagsbincode 1.3.3as unmaintained. No CVE today, but future malformed-input bugs won't be patched. Bincode 2.x has different semantics so migration is non-trivial and the cost grows with adoption.Fix
Plan migration to
bincode = "2"(orpostcardfor a no_std alternative). Gate behind a version byte in the event envelope so old archival data remains readable. Track as a dedicated epic; not safe to auto-PR.