File: .github/workflows/ci.yml:180
Severity: security
Obvious? yes
The audit job runs cargo install --locked cargo-audit with no --version pin. While --locked ensures the install respects the binary's own Cargo.lock, the version of cargo-audit pulled is whatever crates.io's latest cargo-audit resolves to at job start time. A compromised or buggy cargo-audit release would silently take effect on the very next CI run, with no opportunity to bump deliberately. This is the standard supply-chain risk for any cargo install <name> without a pinned version, and the job is also the gate that scans for advisories — so a malicious upload could lie about what is vulnerable.
Fix: pin a version, e.g. cargo install --locked --version 0.21.2 cargo-audit, and bump explicitly. Compare to docker/web.Dockerfile:4 which correctly pins cargo install trunk --version 0.21.14 --locked.
Filed by /general-audit @ 88498a5 (2026-05-04). master: #600.
File:
.github/workflows/ci.yml:180Severity: security
Obvious? yes
The audit job runs
cargo install --locked cargo-auditwith no--versionpin. While--lockedensures the install respects the binary's ownCargo.lock, the version of cargo-audit pulled is whatever crates.io's latestcargo-auditresolves to at job start time. A compromised or buggy cargo-audit release would silently take effect on the very next CI run, with no opportunity to bump deliberately. This is the standard supply-chain risk for anycargo install <name>without a pinned version, and the job is also the gate that scans for advisories — so a malicious upload could lie about what is vulnerable.Fix: pin a version, e.g.
cargo install --locked --version 0.21.2 cargo-audit, and bump explicitly. Compare todocker/web.Dockerfile:4which correctly pinscargo install trunk --version 0.21.14 --locked.Filed by
/general-audit@88498a5(2026-05-04). master: #600.