From 8e6f4d38e29b6cfe1d7ce87ca31e0c5deba5d30b Mon Sep 17 00:00:00 2001
From: Elias Rohrer <dev@tnull.de>
Date: Fri, 17 Apr 2026 11:33:13 +0200
Subject: [PATCH 1/4] CI: Add cargo-audit workflow

Run security audits against all three checked-in lock files using the
official rustsec/audit-check action. Triggers on push, PRs, and daily
via cron to catch newly published advisories.

Co-Authored-By: HAL 9000
Signed-off-by: Elias Rohrer <dev@tnull.de>
---
 .github/workflows/audit.yml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 .github/workflows/audit.yml

diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
new file mode 100644
index 00000000..26dd2d46
--- /dev/null
+++ b/.github/workflows/audit.yml
@@ -0,0 +1,28 @@
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+  schedule:
+    - cron: '0 0 * * *'
+
+name: Audit
+
+jobs:
+  audit:
+    name: Security audit - ${{ matrix.lockfile }}
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      checks: write
+    strategy:
+      fail-fast: false
+      matrix:
+        lockfile: [Cargo-minimal.lock, Cargo-recent.lock]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Use ${{ matrix.lockfile }}
+        run: cp ${{ matrix.lockfile }} Cargo.lock
+      - uses: rustsec/audit-check@v2.0.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}

From 9054511cd3fea5b295aa60fe58940a9a7a1d5604 Mon Sep 17 00:00:00 2001
From: Elias Rohrer <dev@tnull.de>
Date: Fri, 17 Apr 2026 11:54:32 +0200
Subject: [PATCH 2/4] Bump bytes, rand, and tar to fix cargo-audit findings

Addresses RUSTSEC-2026-0007 (bytes), RUSTSEC-2026-0067/0068 (tar),
and RUSTSEC-2026-0097 (rand).

Co-Authored-By: HAL 9000
Signed-off-by: Elias Rohrer <dev@tnull.de>
---
 Cargo-minimal.lock | 12 ++++++------
 Cargo-recent.lock  | 12 ++++++------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/Cargo-minimal.lock b/Cargo-minimal.lock
index 23633d4c..16fa99fa 100644
--- a/Cargo-minimal.lock
+++ b/Cargo-minimal.lock
@@ -192,9 +192,9 @@ checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
 
 [[package]]
 name = "bytes"
-version = "1.11.0"
+version = "1.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b35204fbdc0b3f4446b89fc1ac2cf84a8a68971995d0bf2e925ec7cd960f9cb3"
+checksum = "1e748733b7cbc798e1434b6ac524f0c1ff2ab456fe201501e6497c8417a4fc33"
 
 [[package]]
 name = "bzip2"
@@ -728,9 +728,9 @@ checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
 
 [[package]]
 name = "rand"
-version = "0.9.2"
+version = "0.9.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
+checksum = "44c5af06bb1b7d3216d91932aed5265164bf384dc89cd6ba05cf59a35f5f76ea"
 dependencies = [
  "rand_chacha",
  "rand_core",
@@ -1034,9 +1034,9 @@ dependencies = [
 
 [[package]]
 name = "tar"
-version = "0.4.43"
+version = "0.4.45"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c65998313f8e17d0d553d28f91a0df93e4dbbbf770279c7bc21ca0f09ea1a1f6"
+checksum = "22692a6476a21fa75fdfc11d452fda482af402c008cdbaf3476414e122040973"
 dependencies = [
  "filetime",
  "libc",
diff --git a/Cargo-recent.lock b/Cargo-recent.lock
index 23633d4c..16fa99fa 100644
--- a/Cargo-recent.lock
+++ b/Cargo-recent.lock
@@ -192,9 +192,9 @@ checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
 
 [[package]]
 name = "bytes"
-version = "1.11.0"
+version = "1.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b35204fbdc0b3f4446b89fc1ac2cf84a8a68971995d0bf2e925ec7cd960f9cb3"
+checksum = "1e748733b7cbc798e1434b6ac524f0c1ff2ab456fe201501e6497c8417a4fc33"
 
 [[package]]
 name = "bzip2"
@@ -728,9 +728,9 @@ checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
 
 [[package]]
 name = "rand"
-version = "0.9.2"
+version = "0.9.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
+checksum = "44c5af06bb1b7d3216d91932aed5265164bf384dc89cd6ba05cf59a35f5f76ea"
 dependencies = [
  "rand_chacha",
  "rand_core",
@@ -1034,9 +1034,9 @@ dependencies = [
 
 [[package]]
 name = "tar"
-version = "0.4.43"
+version = "0.4.45"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c65998313f8e17d0d553d28f91a0df93e4dbbbf770279c7bc21ca0f09ea1a1f6"
+checksum = "22692a6476a21fa75fdfc11d452fda482af402c008cdbaf3476414e122040973"
 dependencies = [
  "filetime",
  "libc",

From 1880501c70102838fb369068321b3919632c9ba5 Mon Sep 17 00:00:00 2001
From: Elias Rohrer <dev@tnull.de>
Date: Mon, 20 Apr 2026 09:15:38 +0200
Subject: [PATCH 3/4] Bump ring to fix cargo-audit findings

Bump ring to 0.17.14 to address RUSTSEC-2025-0009.

Co-Authored-By: HAL 9000
Signed-off-by: Elias Rohrer <dev@tnull.de>
---
 Cargo-minimal.lock | 11 ++---------
 Cargo-recent.lock  | 11 ++---------
 2 files changed, 4 insertions(+), 18 deletions(-)

diff --git a/Cargo-minimal.lock b/Cargo-minimal.lock
index 16fa99fa..e58e5a2b 100644
--- a/Cargo-minimal.lock
+++ b/Cargo-minimal.lock
@@ -781,15 +781,14 @@ checksum = "7a2d987857b319362043e95f5353c0535c1f58eec5336fdfcf626430af7def58"
 
 [[package]]
 name = "ring"
-version = "0.17.8"
+version = "0.17.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c17fa4cb658e3583423e915b9f3acc01cceaee1860e33d59ebae66adc3a2dc0d"
+checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7"
 dependencies = [
  "cc",
  "cfg-if",
  "getrandom 0.2.15",
  "libc",
- "spin",
  "untrusted",
  "windows-sys 0.52.0",
 ]
@@ -1009,12 +1008,6 @@ dependencies = [
  "winapi",
 ]
 
-[[package]]
-name = "spin"
-version = "0.9.8"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67"
-
 [[package]]
 name = "subtle"
 version = "2.6.1"
diff --git a/Cargo-recent.lock b/Cargo-recent.lock
index 16fa99fa..e58e5a2b 100644
--- a/Cargo-recent.lock
+++ b/Cargo-recent.lock
@@ -781,15 +781,14 @@ checksum = "7a2d987857b319362043e95f5353c0535c1f58eec5336fdfcf626430af7def58"
 
 [[package]]
 name = "ring"
-version = "0.17.8"
+version = "0.17.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c17fa4cb658e3583423e915b9f3acc01cceaee1860e33d59ebae66adc3a2dc0d"
+checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7"
 dependencies = [
  "cc",
  "cfg-if",
  "getrandom 0.2.15",
  "libc",
- "spin",
  "untrusted",
  "windows-sys 0.52.0",
 ]
@@ -1009,12 +1008,6 @@ dependencies = [
  "winapi",
 ]
 
-[[package]]
-name = "spin"
-version = "0.9.8"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67"
-
 [[package]]
 name = "subtle"
 version = "2.6.1"

From 52e3dad9d6e671109614d45d19a07dcdb27ec716 Mon Sep 17 00:00:00 2001
From: Elias Rohrer <dev@tnull.de>
Date: Mon, 20 Apr 2026 09:27:09 +0200
Subject: [PATCH 4/4] CI: Audit a freshly-resolved Cargo.lock in addition to
 pinned locks

The checked-in Cargo-minimal.lock and Cargo-recent.lock are only as
fresh as their last manual update, so advisories affecting versions
that the resolver would pick right now can slip through between lock
refreshes. Add a matrix leg that runs `cargo generate-lockfile` before
auditing, giving us clean-slate coverage on every scheduled run.

Co-Authored-By: HAL 9000
Signed-off-by: Elias Rohrer <dev@tnull.de>
---
 .github/workflows/audit.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
index 26dd2d46..8adab10f 100644
--- a/.github/workflows/audit.yml
+++ b/.github/workflows/audit.yml
@@ -18,10 +18,14 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        lockfile: [Cargo-minimal.lock, Cargo-recent.lock]
+        lockfile: [Cargo.lock, Cargo-minimal.lock, Cargo-recent.lock]
     steps:
       - uses: actions/checkout@v4
+      - name: Generate fresh Cargo.lock
+        if: ${{ matrix.lockfile == 'Cargo.lock' }}
+        run: cargo generate-lockfile
       - name: Use ${{ matrix.lockfile }}
+        if: ${{ matrix.lockfile != 'Cargo.lock' }}
         run: cp ${{ matrix.lockfile }} Cargo.lock
       - uses: rustsec/audit-check@v2.0.0
         with: