You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The project currently has no CI check for known vulnerabilities (CVEs) in dependencies. cargo-deny is already installed in CI for license checking, but cargo deny check advisories is not run.
Proposal
Add cargo deny check advisories to the existing check_license_and_formatting workflow — catches vulnerabilities on every PR.
Add a scheduled audit.yml workflow (e.g. weekly cron) — catches newly disclosed CVEs against existing dependencies on main.
Add an [advisories] section to deny.toml to configure severity thresholds.
Context
cargo-deny@0.14.22 is already pinned in CI for license checks
Cargo.lock is now committed (after chore: improve cargo cache #478), so cargo deny check advisories / cargo audit will work correctly
A recent audit found 1 vulnerability (RUSTSEC-2026-0066 in astral-tokio-tar) and 1 unmaintained crate warning (rustls-pemfile), both resolved by upgrading testcontainers to 0.27.2
Summary
The project currently has no CI check for known vulnerabilities (CVEs) in dependencies.
cargo-denyis already installed in CI for license checking, butcargo deny check advisoriesis not run.Proposal
cargo deny check advisoriesto the existingcheck_license_and_formattingworkflow — catches vulnerabilities on every PR.audit.ymlworkflow (e.g. weekly cron) — catches newly disclosed CVEs against existing dependencies onmain.[advisories]section todeny.tomlto configure severity thresholds.Context
cargo-deny@0.14.22is already pinned in CI for license checksCargo.lockis now committed (after chore: improve cargo cache #478), socargo deny check advisories/cargo auditwill work correctlyastral-tokio-tar) and 1 unmaintained crate warning (rustls-pemfile), both resolved by upgradingtestcontainersto 0.27.2