[security] RUSTSEC-2026-0119: hickory-proto CPU exhaustion via O(n²) name compression

[intendednull]

Surfaced by master PR #507's cargo-audit job (failed run https://github.com/intendednull/willow/actions/runs/25240179167/job/74014485715).

Advisory

• ID: RUSTSEC-2026-0119
• Crate: hickory-proto 0.26.0-beta.4
• Title: CPU exhaustion during message encoding due to O(n²) name compression
• Date: 2026-05-01 (published yesterday)
• URL: GHSA-q2qq-hmj6-3wpp
• Solution: Upgrade to >=0.26.1

Why we no can simple cargo update

hickory-proto 0.26.0-beta.4 pinned by hickory-resolver 0.26.0-beta.4 which pinned by iroh-relay 0.98.0 + iroh 0.98.1. Iroh stack's req prob beta-pinned (=0.26.0-beta style) — cargo update no jump from beta to stable across ecosystem boundary w/o iroh release that bump req range.

hickory-proto 0.26.0-beta.4
└── hickory-resolver 0.26.0-beta.4
    ├── iroh-relay 0.98.0  →  willow-relay, willow-network
    └── iroh 0.98.1        →  willow-{relay,network,client,...}

Action

1. Add --ignore RUSTSEC-2026-0119 to .github/workflows/ci.yml cargo-audit step w/ comment ref this issue.
2. Re-evaluate when iroh release bump hickory req range to allow 0.26.1+.

Reachability

hickory-proto only used in iroh's DNS-resolver path (relay discovery). Willow no expose DNS-server surface — attacker need control DNS response we resolve. Low practical risk in current config; track for upstream.

Same shape as #223, #246, #247, #316, #317, #318 trackers.

[intendednull]

Already addressed by 2667683 ci: ignore RUSTSEC-2026-0119 + 0120 (hickory-* via iroh) (merged via PR #507). --ignore RUSTSEC-2026-0119 added to .github/workflows/ci.yml:186 w/ comment ref. Re-evaluate when iroh bumps hickory range. Closing.

---

Generated by Claude Code