Skip to content

fix(deps): ignore unmaintained transitive dependency advisories#12

Merged
mlevkov merged 1 commit intomainfrom
fix/ignore-unmaintained-advisories
Dec 16, 2025
Merged

fix(deps): ignore unmaintained transitive dependency advisories#12
mlevkov merged 1 commit intomainfrom
fix/ignore-unmaintained-advisories

Conversation

@mlevkov
Copy link
Owner

@mlevkov mlevkov commented Dec 16, 2025

Summary

Adds the unmaintained paste crate advisory (RUSTSEC-2024-0436) to the cargo-deny ignore list. This is a transitive dependency from the iggy SDK that we cannot directly update.

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Refactoring (no functional changes)
  • Performance improvement
  • CI/CD changes

Changes Made

  • Added RUSTSEC-2024-0436 (paste) to deny.toml ignore list with justification

Dependency Analysis

RUSTSEC-2024-0436 (paste)

paste v1.0.15
└── compio-io v0.8.4
    └── iggy_common v0.8.0
        └── iggy v0.8.0
            └── iggy_sample (this crate)

This is a transitive dependency from the iggy SDK. The upstream compio project would need to migrate to pastey (the maintained fork).

RUSTSEC-2025-0134 (rustls-pemfile)

Already ignored in deny.toml. This comes from testcontainers → bollard (dev-dependency only).

Testing

  • Manual testing performed

Test commands run:

cargo clippy -- -D warnings
cargo test --lib

Checklist

Code Quality

  • Code follows project style guidelines (cargo fmt)
  • No new Clippy warnings (cargo clippy -- -D warnings)
  • Public APIs have documentation comments
  • Error handling is appropriate (no unwrap in production code)

Documentation

  • Code comments explain "why" not "what"

Security

  • No secrets or credentials committed
  • No new security vulnerabilities introduced

Related Issues

Closes #10
Closes #11

Additional Notes

Both advisories are for unmaintained crates that are transitive dependencies. We cannot directly update them - the upstream projects (iggy, testcontainers/bollard) need to migrate to alternatives. Adding to the ignore list is the standard practice for such cases.

🤖 Generated with Claude Code

@mlevkov
fix(deps): ignore unmaintained paste advisory (RUSTSEC-2024-0436)
9214573 
The paste crate is unmaintained but is a transitive dependency from:
iggy -> iggy_common -> compio-io -> paste

This is outside our control - upstream (iggy/compio) needs to migrate
to pastey or an alternative. Adding to ignore list with justification.

Closes #10
@mlevkov mlevkov merged commit 30908e2 into main Dec 16, 2025
22 checks passed
@mlevkov mlevkov deleted the fix/ignore-unmaintained-advisories branch December 16, 2025 03:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

RUSTSEC-2025-0134: rustls-pemfile is unmaintained RUSTSEC-2024-0436: paste - no longer maintained

1 participant

@mlevkov