Skip to content

ci(audit): ignore unmaintained transitive advisories (#316/#317/#318)#402

Merged
intendednull merged 1 commit into
mainfrom
claude/audit-ignores-rustsec-unmaintained
Apr 27, 2026
Merged

ci(audit): ignore unmaintained transitive advisories (#316/#317/#318)#402
intendednull merged 1 commit into
mainfrom
claude/audit-ignores-rustsec-unmaintained

Conversation

@intendednull
Copy link
Copy Markdown
Owner

@intendednull intendednull commented Apr 27, 2026

Why

Three RUSTSEC unmaintained advisories trip CI audit gate. All transitive, no path from our code:

Upstream chains:

paste 1.0.15
  - leptos 0.7.8 (tachys, leptos_dom, leptos_server, reactive_stores, either_of)
  - iroh 0.98.1 (netwatch -> netlink-packet-core)

proc-macro-error 0.4.12
  - iroh-blobs 0.100.0 -> bao-tree -> genawaiter -> genawaiter-proc-macro

atomic-polyfill 1.0.3
  - iroh 0.98.1 (postcard -> heapless), iroh-blobs, iroh-gossip, iroh-relay, irpc

No trivial single-dep bump fixes any of these — iroh + leptos ecosystems both pin upstreams that haven't migrated. Bumping iroh/leptos = deep risk, separate work.

Fix

Add --ignore RUSTSEC-XXXX-XXXX to existing cargo audit step in .github/workflows/ci.yml. Matches existing style (inline # comment with tracking issue ref). Issues #316/#317/#318 stay open as tracking issues — not closed by this PR — until upstream fixes land or we bump iroh/leptos.

Verify

Local before:

warning: 3 allowed warnings found
  paste            RUSTSEC-2024-0436
  proc-macro-error RUSTSEC-2024-0370
  atomic-polyfill  RUSTSEC-2023-0089

Local after (same flags as CI):

Scanning Cargo.lock for vulnerabilities (639 crate dependencies)
exit 0

Tradeoff: ignoring vs upgrading. Upgrading rejected — iroh/leptos pin transitives, blast radius too large for this scope. Tracking issues capture follow-up.

Refs #316
Refs #317
Refs #318

Generated by Claude Code

@claude
ci(audit): ignore unmaintained transitive advisories
3c65127 
- RUSTSEC-2024-0436 paste (via leptos+iroh)
- RUSTSEC-2024-0370 proc-macro-error (via iroh-blobs->genawaiter)
- RUSTSEC-2023-0089 atomic-polyfill (via iroh->postcard->heapless)

All transitive, no direct fix. Track via #316/#317/#318.

Refs #316
Refs #317
Refs #318
This was referenced Apr 27, 2026
Closed
Closed
Closed
@intendednull intendednull merged commit f0a59f9 into main Apr 27, 2026
7 checks passed
@intendednull intendednull deleted the claude/audit-ignores-rustsec-unmaintained branch April 27, 2026 08:55
intendednull pushed a commit that referenced this pull request Apr 28, 2026
@claude
chore(skill): pre-dispatch sync, already-fixed path, webhook informat…
d7d26a9 
…ional

three lessons from batch 2026-04-28-002530:

1. coordinator must `git fetch + reset` master batch branch before each implementer dispatch — stale local state contaminates the next worktree (#451 implementer found half-applied prior work in fresh worktree).

2. when implementer's pre-flight detects upstream fix already landed (#316/#317/#318 vs PR #402), close issues + caveman-comment, do NOT include in master PR `Fixes` list — record under `## Already-Fixed` instead.

3. github webhook subscriptions for sub-PRs are informational only — implementer owns its merge gate, coordinator must not duplicate that work.
@intendednull intendednull mentioned this pull request Apr 28, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@intendednull @claude