Skip to content

Update rustsec v0.31#805

Merged
Jake-Shadle merged 1 commit intoEmbarkStudios:mainfrom
jayvdb:update-rustsec
Nov 23, 2025
Merged

Update rustsec v0.31#805
Jake-Shadle merged 1 commit intoEmbarkStudios:mainfrom
jayvdb:update-rustsec

Conversation

@jayvdb
Copy link
Copy Markdown
Contributor

@jayvdb jayvdb commented Nov 22, 2025
edited
Loading

@jayvdb jayvdb requested a review from Jake-Shadle as a code owner November 22, 2025 10:34
@jayvdb jayvdb changed the title Update rustsec Update rustsec v0.31 Nov 22, 2025
@jayvdb jayvdb mentioned this pull request Nov 22, 2025
Closed
@jayvdb
Copy link
Copy Markdown
Contributor Author

jayvdb commented Nov 22, 2025

ping @Jake-Shadle

@djc
Copy link
Copy Markdown

djc commented Nov 22, 2025

There's really no need to mention people -- people watch their repos and get notifications anyway.

@Skgland Skgland mentioned this pull request Nov 22, 2025
Merged
@tisonkun
Copy link
Copy Markdown
Contributor

tisonkun commented Nov 22, 2025

There's really no need to mention people -- people watch their repos and get notifications anyway.

Not quite. Subscription sends emails to subscribed@noreply.github.com while mention would add user's personal email address in cc (as well as mention@noreply.github.com). People (like me) may use speicial rules to highlight emails that directly send to the personal mailbox.

@Jake-Shadle Jake-Shadle merged commit 8aca4c8 into EmbarkStudios:main Nov 23, 2025
12 checks passed
@carodewig carodewig mentioned this pull request Dec 19, 2025
Merged
10 tasks
picodata-account pushed a commit to picodata/picodata that referenced this pull request Dec 24, 2025
ci(audit): bump version of cargo-deny to fix CI failure
9b8f77d 
The audit stage fails in CI when cargo-deny 0.18.3, invoked by `make
audit`, attempts to parse advisories containing CVSS 4.0 vectors,
resulting in a "unsupported CVSS version: 4.0" error:

    $ make audit
    cargo deny --workspace check
    2025-12-24 16:11:44 [ERROR] failed to load advisory database: parse error: error parsing /builds/core/picodata/.cargo/advisory-dbs/advisory-db-3157b0e258782691/crates/cap-primitives/RUSTSEC-2024-0445.md: parse error: TOML parse error at line 8, column 8
      |
    8 | cvss = "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"
      |        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    unsupported CVSS version: 4.0
    make: *** [Makefile:164: audit] Error 1

This occurs because older cargo-deny versions do not support the
newer CVSS 4.0 standard used in recently published advisories (like
RUSTSEC-2024-0445).

This commit updates cargo-deny from version 0.18.3 to 0.18.9. The newer version
includes support for CVSS 4.0 vectors, allowing `make audit` to parse the
advisory database successfully and complete the security check without errors.

Version of `cargo-deny` is still pinned to avoid premature MSRV bumps.
It tends to bump its minimum supported Rust version soon after new
Rust releases, but our project's Rust version update cycle is more
conservative, which will cause CI to fetch another Rust compiler
version, making it observably slower, especially on a high load.

Addresses: <https://git.picodata.io/core/picodata/-/jobs/793344>.
See-also: <EmbarkStudios/cargo-deny#804>.
See-also: <EmbarkStudios/cargo-deny#805>.
@mukilan mukilan mentioned this pull request Jan 12, 2026
Closed
bfung added a commit to vectordotdev/vrl that referenced this pull request Jan 16, 2026
@bfung @claude
chore: update cargo-deny to 0.19.0 to fix CVSS 4.0 compatibility
b52cd30 
Updated cargo-deny from version 0.18.3 to 0.19.0 to resolve the
"unsupported CVSS version: 4.0" error that occurs when parsing the
RustSec advisory database.

The fix was introduced in cargo-deny 0.18.6 by updating the rustsec
dependency to version 0.31, which includes CVSS 4.0 support.

Changes:
- Updated cargo-deny version in scripts/check_deny.sh from 0.18.3 to 0.19.0
- Verified all checks pass: advisories, bans, licenses, and sources

References:
- GitHub Issue: EmbarkStudios/cargo-deny#804
- Fix PR: EmbarkStudios/cargo-deny#805

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
kristof-mattei added a commit to logdna/build-images that referenced this pull request Mar 10, 2026
@kristof-mattei
chore: bump cargo-audit to 0.22.1
de370f4 
Fixes 

```
[2026-03-03T18:27:51.852Z] + make lint-audit
[2026-03-03T18:27:51.852Z] ARCH=x86_64 ./docker/dispatch.sh "/build" "/tmp/workspace/jenkins-logdna-logdna-agent-v2-master-438:/build:Z" us.gcr.io/logdna-k8s/rust:bookworm-1-stable-x86_64 "--env RUST_BACKTRACE=full" "cargo audit  \
[2026-03-03T18:27:51.852Z]     --ignore RUSTSEC-2024-0421"
[2026-03-03T18:27:52.415Z] starting sccache server
[2026-03-03T18:27:52.415Z]     Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
[2026-03-03T18:27:54.939Z] error: error loading advisory database: parse error: error parsing /opt/rust/cargo/advisory-db/crates/libcrux-ed25519/RUSTSEC-2026-0026.md: parse error: TOML parse error at line 7, column 8
[2026-03-03T18:27:54.939Z]   |
[2026-03-03T18:27:54.939Z] 7 | cvss = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N"
[2026-03-03T18:27:54.939Z]   |        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[2026-03-03T18:27:54.939Z] unsupported CVSS version: 4.0
[2026-03-03T18:27:54.939Z] 
[2026-03-03T18:27:54.939Z] make: *** [Makefile:266: lint-audit] Error 1
```

See EmbarkStudios/cargo-deny#805
@kristof-mattei kristof-mattei mentioned this pull request Mar 10, 2026
Merged
kristof-mattei added a commit to logdna/build-images that referenced this pull request Mar 11, 2026
@kristof-mattei
chore: bump cargo-audit to 0.22.1
0564df2 
Fixes

```
[2026-03-03T18:27:51.852Z] + make lint-audit
[2026-03-03T18:27:51.852Z] ARCH=x86_64 ./docker/dispatch.sh "/build" "/tmp/workspace/jenkins-logdna-logdna-agent-v2-master-438:/build:Z" us.gcr.io/logdna-k8s/rust:bookworm-1-stable-x86_64 "--env RUST_BACKTRACE=full" "cargo audit  \
[2026-03-03T18:27:51.852Z]     --ignore RUSTSEC-2024-0421"
[2026-03-03T18:27:52.415Z] starting sccache server
[2026-03-03T18:27:52.415Z]     Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
[2026-03-03T18:27:54.939Z] error: error loading advisory database: parse error: error parsing /opt/rust/cargo/advisory-db/crates/libcrux-ed25519/RUSTSEC-2026-0026.md: parse error: TOML parse error at line 7, column 8
[2026-03-03T18:27:54.939Z]   |
[2026-03-03T18:27:54.939Z] 7 | cvss = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N"
[2026-03-03T18:27:54.939Z]   |        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[2026-03-03T18:27:54.939Z] unsupported CVSS version: 4.0
[2026-03-03T18:27:54.939Z]
[2026-03-03T18:27:54.939Z] make: *** [Makefile:266: lint-audit] Error 1
```

See EmbarkStudios/cargo-deny#805
kristof-mattei added a commit to logdna/build-images that referenced this pull request Mar 11, 2026
@kristof-mattei
chore: bump cargo-audit to 0.22.1
b37f22b 
Fixes

```
[2026-03-03T18:27:51.852Z] + make lint-audit
[2026-03-03T18:27:51.852Z] ARCH=x86_64 ./docker/dispatch.sh "/build" "/tmp/workspace/jenkins-logdna-logdna-agent-v2-master-438:/build:Z" us.gcr.io/logdna-k8s/rust:bookworm-1-stable-x86_64 "--env RUST_BACKTRACE=full" "cargo audit  \
[2026-03-03T18:27:51.852Z]     --ignore RUSTSEC-2024-0421"
[2026-03-03T18:27:52.415Z] starting sccache server
[2026-03-03T18:27:52.415Z]     Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
[2026-03-03T18:27:54.939Z] error: error loading advisory database: parse error: error parsing /opt/rust/cargo/advisory-db/crates/libcrux-ed25519/RUSTSEC-2026-0026.md: parse error: TOML parse error at line 7, column 8
[2026-03-03T18:27:54.939Z]   |
[2026-03-03T18:27:54.939Z] 7 | cvss = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N"
[2026-03-03T18:27:54.939Z]   |        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[2026-03-03T18:27:54.939Z] unsupported CVSS version: 4.0
[2026-03-03T18:27:54.939Z]
[2026-03-03T18:27:54.939Z] make: *** [Makefile:266: lint-audit] Error 1
```

See EmbarkStudios/cargo-deny#805
kristof-mattei added a commit to logdna/build-images that referenced this pull request Mar 11, 2026
@kristof-mattei
chore: bump cargo-audit to 0.22.1
f7d4e4d 
Fixes

```
[2026-03-03T18:27:51.852Z] + make lint-audit
[2026-03-03T18:27:51.852Z] ARCH=x86_64 ./docker/dispatch.sh "/build" "/tmp/workspace/jenkins-logdna-logdna-agent-v2-master-438:/build:Z" us.gcr.io/logdna-k8s/rust:bookworm-1-stable-x86_64 "--env RUST_BACKTRACE=full" "cargo audit  \
[2026-03-03T18:27:51.852Z]     --ignore RUSTSEC-2024-0421"
[2026-03-03T18:27:52.415Z] starting sccache server
[2026-03-03T18:27:52.415Z]     Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
[2026-03-03T18:27:54.939Z] error: error loading advisory database: parse error: error parsing /opt/rust/cargo/advisory-db/crates/libcrux-ed25519/RUSTSEC-2026-0026.md: parse error: TOML parse error at line 7, column 8
[2026-03-03T18:27:54.939Z]   |
[2026-03-03T18:27:54.939Z] 7 | cvss = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N"
[2026-03-03T18:27:54.939Z]   |        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[2026-03-03T18:27:54.939Z] unsupported CVSS version: 4.0
[2026-03-03T18:27:54.939Z]
[2026-03-03T18:27:54.939Z] make: *** [Makefile:266: lint-audit] Error 1
```

See EmbarkStudios/cargo-deny#805
kristof-mattei added a commit to logdna/build-images that referenced this pull request Mar 11, 2026
@kristof-mattei
chore: bump cargo-audit to 0.22.1
e628732 
Fixes

```
[2026-03-03T18:27:51.852Z] + make lint-audit
[2026-03-03T18:27:51.852Z] ARCH=x86_64 ./docker/dispatch.sh "/build" "/tmp/workspace/jenkins-logdna-logdna-agent-v2-master-438:/build:Z" us.gcr.io/logdna-k8s/rust:bookworm-1-stable-x86_64 "--env RUST_BACKTRACE=full" "cargo audit  \
[2026-03-03T18:27:51.852Z]     --ignore RUSTSEC-2024-0421"
[2026-03-03T18:27:52.415Z] starting sccache server
[2026-03-03T18:27:52.415Z]     Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
[2026-03-03T18:27:54.939Z] error: error loading advisory database: parse error: error parsing /opt/rust/cargo/advisory-db/crates/libcrux-ed25519/RUSTSEC-2026-0026.md: parse error: TOML parse error at line 7, column 8
[2026-03-03T18:27:54.939Z]   |
[2026-03-03T18:27:54.939Z] 7 | cvss = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N"
[2026-03-03T18:27:54.939Z]   |        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[2026-03-03T18:27:54.939Z] unsupported CVSS version: 4.0
[2026-03-03T18:27:54.939Z]
[2026-03-03T18:27:54.939Z] make: *** [Makefile:266: lint-audit] Error 1
```

See EmbarkStudios/cargo-deny#805
kristof-mattei added a commit to logdna/build-images that referenced this pull request Mar 11, 2026
@kristof-mattei
chore: bump cargo-audit to 0.22.1
a23aeb6 
Fixes

```
[2026-03-03T18:27:51.852Z] + make lint-audit
[2026-03-03T18:27:51.852Z] ARCH=x86_64 ./docker/dispatch.sh "/build" "/tmp/workspace/jenkins-logdna-logdna-agent-v2-master-438:/build:Z" us.gcr.io/logdna-k8s/rust:bookworm-1-stable-x86_64 "--env RUST_BACKTRACE=full" "cargo audit  \
[2026-03-03T18:27:51.852Z]     --ignore RUSTSEC-2024-0421"
[2026-03-03T18:27:52.415Z] starting sccache server
[2026-03-03T18:27:52.415Z]     Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
[2026-03-03T18:27:54.939Z] error: error loading advisory database: parse error: error parsing /opt/rust/cargo/advisory-db/crates/libcrux-ed25519/RUSTSEC-2026-0026.md: parse error: TOML parse error at line 7, column 8
[2026-03-03T18:27:54.939Z]   |
[2026-03-03T18:27:54.939Z] 7 | cvss = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N"
[2026-03-03T18:27:54.939Z]   |        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[2026-03-03T18:27:54.939Z] unsupported CVSS version: 4.0
[2026-03-03T18:27:54.939Z]
[2026-03-03T18:27:54.939Z] make: *** [Makefile:266: lint-audit] Error 1
```

See EmbarkStudios/cargo-deny#805
kristof-mattei added a commit to logdna/build-images that referenced this pull request Mar 11, 2026
@kristof-mattei
chore: bump cargo-audit to 0.22.1
f8eebaa 
Fixes

```
[2026-03-03T18:27:51.852Z] + make lint-audit
[2026-03-03T18:27:51.852Z] ARCH=x86_64 ./docker/dispatch.sh "/build" "/tmp/workspace/jenkins-logdna-logdna-agent-v2-master-438:/build:Z" us.gcr.io/logdna-k8s/rust:bookworm-1-stable-x86_64 "--env RUST_BACKTRACE=full" "cargo audit  \
[2026-03-03T18:27:51.852Z]     --ignore RUSTSEC-2024-0421"
[2026-03-03T18:27:52.415Z] starting sccache server
[2026-03-03T18:27:52.415Z]     Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
[2026-03-03T18:27:54.939Z] error: error loading advisory database: parse error: error parsing /opt/rust/cargo/advisory-db/crates/libcrux-ed25519/RUSTSEC-2026-0026.md: parse error: TOML parse error at line 7, column 8
[2026-03-03T18:27:54.939Z]   |
[2026-03-03T18:27:54.939Z] 7 | cvss = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N"
[2026-03-03T18:27:54.939Z]   |        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[2026-03-03T18:27:54.939Z] unsupported CVSS version: 4.0
[2026-03-03T18:27:54.939Z]
[2026-03-03T18:27:54.939Z] make: *** [Makefile:266: lint-audit] Error 1
```

See EmbarkStudios/cargo-deny#805
This was referenced Mar 20, 2026
Closed
Merged
fengmk2 added a commit to voidzero-dev/vite-plus that referenced this pull request Mar 24, 2026
@fengmk2
fix(ci): pin cargo-deny to 0.18.9 for CVSS 4.0 support
403ce48 
The setup-rust action resolves cargo-deny@latest to 0.18.4 which cannot
parse CVSS 4.0 scores in the advisory database (RUSTSEC-2026-0009).
Pin to 0.18.9 which includes the fix from EmbarkStudios/cargo-deny#805.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jake-Shadle Jake-Shadle Awaiting requested review from Jake-Shadle Jake-Shadle is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: unsupported CVSS version: 4.0

4 participants

@jayvdb @djc @tisonkun @Jake-Shadle