From 695c204248a4d2c068e681085f29654c063d8f71 Mon Sep 17 00:00:00 2001
From: Ray Liu <liurenjie2008@gmail.com>
Date: Tue, 6 Jan 2026 10:33:32 +0800
Subject: [PATCH 1/2] Address rkyv issue

---
 .cargo/audit.toml             |  3 ++
 Cargo.lock                    | 61 ++++++++++++++++++++++++++---------
 Cargo.toml                    |  4 ++-
 bindings/python/Cargo.toml    |  2 ++
 crates/catalog/hms/Cargo.toml |  1 +
 crates/iceberg/Cargo.toml     |  1 +
 6 files changed, 55 insertions(+), 17 deletions(-)

diff --git a/.cargo/audit.toml b/.cargo/audit.toml
index 09e2d35c50..d403f0ac5a 100644
--- a/.cargo/audit.toml
+++ b/.cargo/audit.toml
@@ -33,4 +33,7 @@ ignore = [
   #
   # Introduced by object_store, see https://github.com/apache/arrow-rs-object-store/issues/564
   "RUSTSEC-2025-0134",
+
+  # Tracked here: https://github.com/paupino/rust-decimal/issues/766
+  "RUSTSEC-2026-0001",
 ]
diff --git a/Cargo.lock b/Cargo.lock
index 97ee25d658..58cb7947a9 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1139,11 +1139,23 @@ version = "0.6.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "23cdc57ce23ac53c931e88a43d06d070a6fd142f2617be5855eb75efc9beb1c2"
 dependencies = [
- "bytecheck_derive",
+ "bytecheck_derive 0.6.12",
  "ptr_meta 0.1.4",
  "simdutf8",
 ]
 
+[[package]]
+name = "bytecheck"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0caa33a2c0edca0419d15ac723dff03f1956f7978329b1e3b5fdaaaed9d3ca8b"
+dependencies = [
+ "bytecheck_derive 0.8.2",
+ "ptr_meta 0.3.1",
+ "rancor",
+ "simdutf8",
+]
+
 [[package]]
 name = "bytecheck_derive"
 version = "0.6.12"
@@ -1155,6 +1167,17 @@ dependencies = [
  "syn 1.0.109",
 ]
 
+[[package]]
+name = "bytecheck_derive"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "89385e82b5d1821d2219e0b095efa2cc1f246cbf99080f3be46a1a85c0d392d9"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.111",
+]
+
 [[package]]
 name = "bytemuck"
 version = "1.24.0"
@@ -2715,7 +2738,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "baec6a0289d7f1fe5665586ef7340af82e3037207bef60f5785e57569776f0c8"
 dependencies = [
  "bytes",
- "rkyv 0.8.12",
+ "rkyv 0.8.13",
  "serde",
  "simdutf8",
 ]
@@ -3386,6 +3409,7 @@ dependencies = [
  "regex",
  "reqsign",
  "reqwest",
+ "rkyv 0.8.13",
  "roaring",
  "rust_decimal",
  "serde",
@@ -3445,6 +3469,7 @@ dependencies = [
  "motore-macros",
  "pilota",
  "port_scanner",
+ "rkyv 0.8.13",
  "serde_json",
  "tokio",
  "tracing",
@@ -5425,7 +5450,7 @@ version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "71fe3824f5629716b1589be05dacd749f6aa084c87e00e016714a8cdfccc997c"
 dependencies = [
- "bytecheck",
+ "bytecheck 0.6.12",
 ]
 
 [[package]]
@@ -5433,6 +5458,9 @@ name = "rend"
 version = "0.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cadadef317c2f20755a64d7fdc48f9e7178ee6b0e1f7fce33fa60f1d68a276e6"
+dependencies = [
+ "bytecheck 0.8.2",
+]
 
 [[package]]
 name = "reqsign"
@@ -5525,17 +5553,17 @@ dependencies = [
 
 [[package]]
 name = "rkyv"
-version = "0.7.45"
+version = "0.7.46"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9008cd6385b9e161d8229e1f6549dd23c3d022f132a2ea37ac3a10ac4935779b"
+checksum = "2297bf9c81a3f0dc96bc9521370b88f054168c29826a75e89c55ff196e7ed6a1"
 dependencies = [
  "bitvec",
- "bytecheck",
+ "bytecheck 0.6.12",
  "bytes",
  "hashbrown 0.12.3",
  "ptr_meta 0.1.4",
  "rend 0.4.2",
- "rkyv_derive 0.7.45",
+ "rkyv_derive 0.7.46",
  "seahash",
  "tinyvec",
  "uuid",
@@ -5543,27 +5571,28 @@ dependencies = [
 
 [[package]]
 name = "rkyv"
-version = "0.8.12"
+version = "0.8.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "35a640b26f007713818e9a9b65d34da1cf58538207b052916a83d80e43f3ffa4"
+checksum = "8b2e88acca7157d83d789836a3987dafc12bc3d88a050e54b8fe9ea4aaa29d20"
 dependencies = [
+ "bytecheck 0.8.2",
  "bytes",
- "hashbrown 0.15.5",
+ "hashbrown 0.16.1",
  "indexmap 2.12.1",
  "munge",
  "ptr_meta 0.3.1",
  "rancor",
  "rend 0.5.3",
- "rkyv_derive 0.8.12",
+ "rkyv_derive 0.8.13",
  "tinyvec",
  "uuid",
 ]
 
 [[package]]
 name = "rkyv_derive"
-version = "0.7.45"
+version = "0.7.46"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "503d1d27590a2b0a3a4ca4c94755aa2875657196ecbf401a42eff41d7de532c0"
+checksum = "84d7b42d4b8d06048d3ac8db0eb31bcb942cbeb709f0b5f2b2ebde398d3038f5"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -5572,9 +5601,9 @@ dependencies = [
 
 [[package]]
 name = "rkyv_derive"
-version = "0.8.12"
+version = "0.8.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bd83f5f173ff41e00337d97f6572e416d022ef8a19f371817259ae960324c482"
+checksum = "7f6dffea3c91fa91a3c0fc8a061b0e27fef25c6304728038a6d6bcb1c58ba9bd"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -5663,7 +5692,7 @@ dependencies = [
  "num-traits",
  "postgres-types",
  "rand 0.8.5",
- "rkyv 0.7.45",
+ "rkyv 0.7.46",
  "serde",
  "serde_json",
 ]
diff --git a/Cargo.toml b/Cargo.toml
index d099398dbd..08269a116f 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -109,7 +109,7 @@ rand = "0.8.5"
 regex = "1.11.3"
 reqwest = { version = "0.12.12", default-features = false, features = ["json"] }
 roaring = { version = "0.11" }
-rust_decimal = "1.37.2"
+rust_decimal = { version = "1.39", default-features = false, features = ["std"] }
 serde = { version = "1.0.219", features = ["rc"] }
 serde_bytes = "0.11.17"
 serde_derive = "1.0.219"
@@ -132,3 +132,5 @@ uuid = { version = "1.18", features = ["v7"] }
 volo = "0.10.6"
 volo-thrift = "0.10.8"
 zstd = "0.13.3"
+# See: https://github.com/apache/iceberg-rust/issues/1992
+rkyv = "0.8.13"
\ No newline at end of file
diff --git a/bindings/python/Cargo.toml b/bindings/python/Cargo.toml
index 9ec58cf807..ddb62edbb5 100644
--- a/bindings/python/Cargo.toml
+++ b/bindings/python/Cargo.toml
@@ -37,6 +37,8 @@ pyo3 = { version = "0.26", features = ["extension-module", "abi3-py310"] }
 iceberg-datafusion = { path = "../../crates/integrations/datafusion" }
 datafusion-ffi = { version = "51.0" }
 tokio = { version = "1.46.1", default-features = false }
+# Security: disable rkyv feature to avoid RUSTSEC-2026-0001 (rkyv 0.7.45 vulnerability)
+rust_decimal = { version = "1.37.2", default-features = false, features = ["std"] }
 
 [profile.release]
 codegen-units = 1
diff --git a/crates/catalog/hms/Cargo.toml b/crates/catalog/hms/Cargo.toml
index 549dbb9c02..fafb1fefb5 100644
--- a/crates/catalog/hms/Cargo.toml
+++ b/crates/catalog/hms/Cargo.toml
@@ -52,6 +52,7 @@ linkedbytes = { workspace = true }
 metainfo = { workspace = true }
 motore-macros = { workspace = true }
 volo = { workspace = true }
+rkyv = { workspace = true }
 
 [dev-dependencies]
 ctor = { workspace = true }
diff --git a/crates/iceberg/Cargo.toml b/crates/iceberg/Cargo.toml
index 6f1332a444..b82e93d4e1 100644
--- a/crates/iceberg/Cargo.toml
+++ b/crates/iceberg/Cargo.toml
@@ -89,6 +89,7 @@ typed-builder = { workspace = true }
 url = { workspace = true }
 uuid = { workspace = true }
 zstd = { workspace = true }
+rkyv = { workspace = true }
 
 [dev-dependencies]
 ctor = { workspace = true }

From 948970a4acae48079fa12353403aaa497ad5c812 Mon Sep 17 00:00:00 2001
From: Ray Liu <liurenjie2008@gmail.com>
Date: Wed, 7 Jan 2026 08:16:42 +0800
Subject: [PATCH 2/2] Fix ci

---
 Cargo.lock                    |  35 +--------
 Cargo.toml                    |   4 +-
 bindings/python/Cargo.lock    | 131 +++++++++++++++++++++++++++++++---
 bindings/python/Cargo.toml    |   6 +-
 crates/catalog/hms/Cargo.toml |   1 -
 crates/iceberg/Cargo.toml     |   1 -
 6 files changed, 131 insertions(+), 47 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 58cb7947a9..73494910b6 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1139,23 +1139,11 @@ version = "0.6.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "23cdc57ce23ac53c931e88a43d06d070a6fd142f2617be5855eb75efc9beb1c2"
 dependencies = [
- "bytecheck_derive 0.6.12",
+ "bytecheck_derive",
  "ptr_meta 0.1.4",
  "simdutf8",
 ]
 
-[[package]]
-name = "bytecheck"
-version = "0.8.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0caa33a2c0edca0419d15ac723dff03f1956f7978329b1e3b5fdaaaed9d3ca8b"
-dependencies = [
- "bytecheck_derive 0.8.2",
- "ptr_meta 0.3.1",
- "rancor",
- "simdutf8",
-]
-
 [[package]]
 name = "bytecheck_derive"
 version = "0.6.12"
@@ -1167,17 +1155,6 @@ dependencies = [
  "syn 1.0.109",
 ]
 
-[[package]]
-name = "bytecheck_derive"
-version = "0.8.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "89385e82b5d1821d2219e0b095efa2cc1f246cbf99080f3be46a1a85c0d392d9"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.111",
-]
-
 [[package]]
 name = "bytemuck"
 version = "1.24.0"
@@ -3409,7 +3386,6 @@ dependencies = [
  "regex",
  "reqsign",
  "reqwest",
- "rkyv 0.8.13",
  "roaring",
  "rust_decimal",
  "serde",
@@ -3469,7 +3445,6 @@ dependencies = [
  "motore-macros",
  "pilota",
  "port_scanner",
- "rkyv 0.8.13",
  "serde_json",
  "tokio",
  "tracing",
@@ -5450,7 +5425,7 @@ version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "71fe3824f5629716b1589be05dacd749f6aa084c87e00e016714a8cdfccc997c"
 dependencies = [
- "bytecheck 0.6.12",
+ "bytecheck",
 ]
 
 [[package]]
@@ -5458,9 +5433,6 @@ name = "rend"
 version = "0.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cadadef317c2f20755a64d7fdc48f9e7178ee6b0e1f7fce33fa60f1d68a276e6"
-dependencies = [
- "bytecheck 0.8.2",
-]
 
 [[package]]
 name = "reqsign"
@@ -5558,7 +5530,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2297bf9c81a3f0dc96bc9521370b88f054168c29826a75e89c55ff196e7ed6a1"
 dependencies = [
  "bitvec",
- "bytecheck 0.6.12",
+ "bytecheck",
  "bytes",
  "hashbrown 0.12.3",
  "ptr_meta 0.1.4",
@@ -5575,7 +5547,6 @@ version = "0.8.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8b2e88acca7157d83d789836a3987dafc12bc3d88a050e54b8fe9ea4aaa29d20"
 dependencies = [
- "bytecheck 0.8.2",
  "bytes",
  "hashbrown 0.16.1",
  "indexmap 2.12.1",
diff --git a/Cargo.toml b/Cargo.toml
index 08269a116f..56cd1801cc 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -131,6 +131,4 @@ url = "2.5.7"
 uuid = { version = "1.18", features = ["v7"] }
 volo = "0.10.6"
 volo-thrift = "0.10.8"
-zstd = "0.13.3"
-# See: https://github.com/apache/iceberg-rust/issues/1992
-rkyv = "0.8.13"
\ No newline at end of file
+zstd = "0.13.3"
\ No newline at end of file
diff --git a/bindings/python/Cargo.lock b/bindings/python/Cargo.lock
index 4647f9d886..d33abed581 100644
--- a/bindings/python/Cargo.lock
+++ b/bindings/python/Cargo.lock
@@ -668,8 +668,20 @@ version = "0.6.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "23cdc57ce23ac53c931e88a43d06d070a6fd142f2617be5855eb75efc9beb1c2"
 dependencies = [
- "bytecheck_derive",
- "ptr_meta",
+ "bytecheck_derive 0.6.12",
+ "ptr_meta 0.1.4",
+ "simdutf8",
+]
+
+[[package]]
+name = "bytecheck"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0caa33a2c0edca0419d15ac723dff03f1956f7978329b1e3b5fdaaaed9d3ca8b"
+dependencies = [
+ "bytecheck_derive 0.8.2",
+ "ptr_meta 0.3.1",
+ "rancor",
  "simdutf8",
 ]
 
@@ -684,6 +696,17 @@ dependencies = [
  "syn 1.0.109",
 ]
 
+[[package]]
+name = "bytecheck_derive"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "89385e82b5d1821d2219e0b095efa2cc1f246cbf99080f3be46a1a85c0d392d9"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.108",
+]
+
 [[package]]
 name = "bytemuck"
 version = "1.24.0"
@@ -2350,6 +2373,7 @@ dependencies = [
  "rand 0.8.5",
  "reqsign",
  "reqwest",
+ "rkyv 0.8.13",
  "roaring",
  "rust_decimal",
  "serde",
@@ -2841,6 +2865,26 @@ dependencies = [
  "uuid",
 ]
 
+[[package]]
+name = "munge"
+version = "0.4.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5e17401f259eba956ca16491461b6e8f72913a0a114e39736ce404410f915a0c"
+dependencies = [
+ "munge_macro",
+]
+
+[[package]]
+name = "munge_macro"
+version = "0.4.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4568f25ccbd45ab5d5603dc34318c1ec56b117531781260002151b8530a9f931"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.108",
+]
+
 [[package]]
 name = "murmur3"
 version = "0.5.2"
@@ -3220,7 +3264,16 @@ version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0738ccf7ea06b608c10564b31debd4f5bc5e197fc8bfe088f68ae5ce81e7a4f1"
 dependencies = [
- "ptr_meta_derive",
+ "ptr_meta_derive 0.1.4",
+]
+
+[[package]]
+name = "ptr_meta"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b9a0cf95a1196af61d4f1cbdab967179516d9a4a4312af1f31948f8f6224a79"
+dependencies = [
+ "ptr_meta_derive 0.3.1",
 ]
 
 [[package]]
@@ -3234,6 +3287,17 @@ dependencies = [
  "syn 1.0.109",
 ]
 
+[[package]]
+name = "ptr_meta_derive"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7347867d0a7e1208d93b46767be83e2b8f978c3dad35f775ac8d8847551d6fe1"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.108",
+]
+
 [[package]]
 name = "pyiceberg_core_rust"
 version = "0.8.0"
@@ -3243,6 +3307,7 @@ dependencies = [
  "iceberg",
  "iceberg-datafusion",
  "pyo3",
+ "rust_decimal",
  "tokio",
 ]
 
@@ -3409,6 +3474,15 @@ version = "0.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "dc33ff2d4973d518d823d61aa239014831e521c75da58e3df4840d3f47749d09"
 
+[[package]]
+name = "rancor"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a063ea72381527c2a0561da9c80000ef822bdd7c3241b1cc1b12100e3df081ee"
+dependencies = [
+ "ptr_meta 0.3.1",
+]
+
 [[package]]
 name = "rand"
 version = "0.8.5"
@@ -3564,7 +3638,16 @@ version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "71fe3824f5629716b1589be05dacd749f6aa084c87e00e016714a8cdfccc997c"
 dependencies = [
- "bytecheck",
+ "bytecheck 0.6.12",
+]
+
+[[package]]
+name = "rend"
+version = "0.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cadadef317c2f20755a64d7fdc48f9e7178ee6b0e1f7fce33fa60f1d68a276e6"
+dependencies = [
+ "bytecheck 0.8.2",
 ]
 
 [[package]]
@@ -3667,17 +3750,36 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9008cd6385b9e161d8229e1f6549dd23c3d022f132a2ea37ac3a10ac4935779b"
 dependencies = [
  "bitvec",
- "bytecheck",
+ "bytecheck 0.6.12",
  "bytes",
  "hashbrown 0.12.3",
- "ptr_meta",
- "rend",
- "rkyv_derive",
+ "ptr_meta 0.1.4",
+ "rend 0.4.2",
+ "rkyv_derive 0.7.45",
  "seahash",
  "tinyvec",
  "uuid",
 ]
 
+[[package]]
+name = "rkyv"
+version = "0.8.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b2e88acca7157d83d789836a3987dafc12bc3d88a050e54b8fe9ea4aaa29d20"
+dependencies = [
+ "bytecheck 0.8.2",
+ "bytes",
+ "hashbrown 0.16.0",
+ "indexmap 2.12.0",
+ "munge",
+ "ptr_meta 0.3.1",
+ "rancor",
+ "rend 0.5.3",
+ "rkyv_derive 0.8.13",
+ "tinyvec",
+ "uuid",
+]
+
 [[package]]
 name = "rkyv_derive"
 version = "0.7.45"
@@ -3689,6 +3791,17 @@ dependencies = [
  "syn 1.0.109",
 ]
 
+[[package]]
+name = "rkyv_derive"
+version = "0.8.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7f6dffea3c91fa91a3c0fc8a061b0e27fef25c6304728038a6d6bcb1c58ba9bd"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.108",
+]
+
 [[package]]
 name = "roaring"
 version = "0.11.2"
@@ -3749,7 +3862,7 @@ dependencies = [
  "bytes",
  "num-traits",
  "rand 0.8.5",
- "rkyv",
+ "rkyv 0.7.45",
  "serde",
  "serde_json",
 ]
diff --git a/bindings/python/Cargo.toml b/bindings/python/Cargo.toml
index ddb62edbb5..8346d02703 100644
--- a/bindings/python/Cargo.toml
+++ b/bindings/python/Cargo.toml
@@ -38,7 +38,7 @@ iceberg-datafusion = { path = "../../crates/integrations/datafusion" }
 datafusion-ffi = { version = "51.0" }
 tokio = { version = "1.46.1", default-features = false }
 # Security: disable rkyv feature to avoid RUSTSEC-2026-0001 (rkyv 0.7.45 vulnerability)
-rust_decimal = { version = "1.37.2", default-features = false, features = ["std"] }
+rust_decimal = { version = "1.39", default-features = false, features = ["std"] }
 
 [profile.release]
 codegen-units = 1
@@ -46,3 +46,7 @@ debug = false
 lto = "thin"
 opt-level = "z"
 strip = true
+
+[package.metadata.cargo-machete]
+# rust_decimal is included to override feature flags for security (disable rkyv)
+ignored = ["rust_decimal"]
diff --git a/crates/catalog/hms/Cargo.toml b/crates/catalog/hms/Cargo.toml
index fafb1fefb5..549dbb9c02 100644
--- a/crates/catalog/hms/Cargo.toml
+++ b/crates/catalog/hms/Cargo.toml
@@ -52,7 +52,6 @@ linkedbytes = { workspace = true }
 metainfo = { workspace = true }
 motore-macros = { workspace = true }
 volo = { workspace = true }
-rkyv = { workspace = true }
 
 [dev-dependencies]
 ctor = { workspace = true }
diff --git a/crates/iceberg/Cargo.toml b/crates/iceberg/Cargo.toml
index b82e93d4e1..6f1332a444 100644
--- a/crates/iceberg/Cargo.toml
+++ b/crates/iceberg/Cargo.toml
@@ -89,7 +89,6 @@ typed-builder = { workspace = true }
 url = { workspace = true }
 uuid = { workspace = true }
 zstd = { workspace = true }
-rkyv = { workspace = true }
 
 [dev-dependencies]
 ctor = { workspace = true }