Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 11 additions & 1 deletion .github/workflows/security-audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,15 @@ jobs:
# not a parser of untrusted PDFs, so the deeply-nested-input
# surface is not reached. Tracking for a printpdf release that
# moves to lopdf >=0.42.
# - RUSTSEC-2025-0144 (ml-dsa) — timing side-channel in ML-DSA
# decomposition. Transitive via `servo-script`, part of the
# EXPERIMENTAL, feature-gated Servo web-engine switch (opt-in,
# not in the default build graph — `cargo tree -i ml-dsa` does
# not resolve it without the Servo feature). Patched only in a
# pre-release (>=0.1.0-rc.3), and servo-script pins 0.0.4, so
# there is no actionable stable bump yet. Perry does not exercise
# ML-DSA signing in this context. Tracking for servo-script to
# move to a released ml-dsa >=0.1.0.
#
# Previously the job ran `--deny warnings` which also
# escalated every "unmaintained crate" notice into a hard
Expand All @@ -62,4 +71,5 @@ jobs:
--ignore RUSTSEC-2023-0071 \
--ignore RUSTSEC-2026-0118 \
--ignore RUSTSEC-2026-0119 \
--ignore RUSTSEC-2026-0187
--ignore RUSTSEC-2026-0187 \
--ignore RUSTSEC-2025-0144
Loading
Loading