chore(deps): ignore json5 unmaintained advisory in cargo-deny

joshrotenberg · joshrotenberg · commit 5273b99fde9c · 2025-11-24T10:45:17.000-08:00
The config crate 0.15.19 (latest) depends on json5 0.4.1 which is unmaintained.
There is no upgrade path available as this is a transitive dependency.
The advisory is for maintenance status, not a security vulnerability.

RUSTSEC-2025-0120: json5 crate unmaintained (via config)
- config 0.15.19 is the latest version
- No alternative config crate exists with equivalent features
- Safe to ignore as this is a maintenance advisory, not security vulnerability
diff --git a/deny.toml b/deny.toml
@@ -13,7 +13,10 @@ targets = [
 [advisories]
 db-path = "~/.cargo/advisory-db"
 db-urls = ["https://github.com/rustsec/advisory-db"]
-ignore = []
+# Unmaintained crates that are transitive dependencies with no safe upgrade path
+ignore = [
+    "RUSTSEC-2025-0120",  # json5 unmaintained (via config 0.15.19, no upgrade available)
+]
 
 [licenses]
 # List of allowed licenses
@@ -58,4 +61,4 @@ skip = [
 unknown-registry = "warn"
 unknown-git = "warn"
 allow-registry = ["https://github.com/rust-lang/crates.io-index"]
-allow-git = []
+allow-git = []
