Skip to content

Add Cargo sparse registry advisory references#8268

Open
cookesan wants to merge 2 commits into
github:cookesan/advisory-improvement-8268from
cookesan:cargo-p688-fix-reference
Open

Add Cargo sparse registry advisory references#8268
cookesan wants to merge 2 commits into
github:cookesan/advisory-improvement-8268from
cookesan:cargo-p688-fix-reference

Conversation

@cookesan

@cookesan cookesan commented Jun 29, 2026

Copy link
Copy Markdown

Adds Cargo sparse registry advisory references to GHSA-p688-r7jv-fm6f.

Audit refresh, July 8, 2026:

  • Confirmed the live PR is open, ready for review, merge-clean, and the visible advisory check is green.
  • Rechecked the merge-base diff: exactly one advisory JSON file changes (advisories/github-reviewed/2026/06/GHSA-p688-r7jv-fm6f/GHSA-p688-r7jv-fm6f.json), JSON parses, git diff --check passes, and the exact-head worktree is clean.
  • Revalidated the added public references in the diff; all resolve through their source site or registry.

@github-actions github-actions Bot changed the base branch from main to cookesan/advisory-improvement-8268 June 29, 2026 10:10
@cookesan

cookesan commented Jul 7, 2026

Copy link
Copy Markdown
Author

Rechecked this reference-only PR while keeping the open Advisory Database queue current.

Adds direct upstream references for GHSA-p688-r7jv-fm6f. The advisory already references NVD, upstream PR #17031, the Rust blog post, package source, and the security announcement; this PR adds the relevant Cargo commit and the release-branch PR that contains that commit.

Current audit, July 8, 2026:

  • GHSA-p688-r7jv-fm6f is live and not withdrawn.
  • CVE-2026-5222 resolves in NVD with Analyzed status.
  • Commit 3c51f26a26501ac51fd593db0d21f88719c65b1b resolves in rust-lang/cargo with subject CVE-2026-5222: avoid stripping .git suffix when for non git registries.
  • The commit is associated with PR #17030 on the rust-1.96.0 branch; the advisory also keeps upstream PR #17031 for the mainline fix.
  • crates.io cargo 0.97.0 resolves and is not yanked.
  • Local JSON validation and whitespace checks pass, and the diff only changes this advisory.

No advisory data fields are changed.

@cookesan cookesan changed the title Add Cargo sparse registry fix reference Add Cargo sparse registry advisory references Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant