fix: Address RUSTSEC-2026-0001 (#1994)

## Which issue does this PR close?

- Closes #1992 
- Closes #1993 

## What changes are included in this PR?

Update dependency to upgrade rkyv, but we still have to ignore it and
wait for rust_decimal to resolve it.

## Are these changes tested?

CI.

Author: liurenjie1024

.cargo/audit.toml

@@ -33,4 +33,7 @@ ignore = [
   #
   # Introduced by object_store, see https://github.com/apache/arrow-rs-object-store/issues/564
   "RUSTSEC-2025-0134",
+
+  # Tracked here: https://github.com/paupino/rust-decimal/issues/766
+  "RUSTSEC-2026-0001",
 ]

Cargo.lock

@@ -109,7 +109,7 @@ rand = "0.8.5"
 regex = "1.11.3"
 reqwest = { version = "0.12.12", default-features = false, features = ["json"] }
 roaring = { version = "0.11" }
-rust_decimal = "1.37.2"
+rust_decimal = { version = "1.39", default-features = false, features = ["std"] }
 serde = { version = "1.0.219", features = ["rc"] }
 serde_bytes = "0.11.17"
 serde_derive = "1.0.219"
@@ -131,4 +131,4 @@ url = "2.5.7"
 uuid = { version = "1.18", features = ["v7"] }
 volo = "0.10.6"
 volo-thrift = "0.10.8"
-zstd = "0.13.3"
+zstd = "0.13.3"

Cargo.toml

@@ -37,10 +37,16 @@ pyo3 = { version = "0.26", features = ["extension-module", "abi3-py310"] }
 iceberg-datafusion = { path = "../../crates/integrations/datafusion" }
 datafusion-ffi = { version = "51.0" }
 tokio = { version = "1.46.1", default-features = false }
+# Security: disable rkyv feature to avoid RUSTSEC-2026-0001 (rkyv 0.7.45 vulnerability)
+rust_decimal = { version = "1.39", default-features = false, features = ["std"] }
 
 [profile.release]
 codegen-units = 1
 debug = false
 lto = "thin"
 opt-level = "z"
 strip = true
+
+[package.metadata.cargo-machete]
+# rust_decimal is included to override feature flags for security (disable rkyv)
+ignored = ["rust_decimal"]