Skip to content

Commit d29dd7f

Browse files
iamquang95iamquang95
authored
fix: update rand, ignore the RUSTSEC-2026-0097 for now (#320)
1 parent 90236b3 commit d29dd7f

2 files changed

Lines changed: 21 additions & 14 deletions

File tree

Cargo.lock

Lines changed: 13 additions & 13 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

deny.toml

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,14 @@ feature-depth = 1
2323
db-path = "~/.cargo/advisory-db"
2424
db-urls = ["https://github.com/rustsec/advisory-db"]
2525
yanked = "deny"
26-
ignore = []
26+
ignore = [
27+
# Unsoundness in `rand` 0.7.3 and 0.8.5 reachable only via a custom `log`
28+
# logger that calls `rand::rng()` and hits a reseed during the log event.
29+
# The only affected pulls are transitive: `cuckoofilter` -> `libp2p-floodsub`
30+
# (stuck on 0.7.3) and `alloy-signer-local` (stuck on 0.8.5). Neither is
31+
# reachable from Pluto's loggers. Remove once upstream bumps to >=0.9.3.
32+
{ id = "RUSTSEC-2026-0097", reason = "transitive rand <0.9.3 via cuckoofilter and alloy-signer-local; not triggerable from our code" },
33+
]
2734
unmaintained = "workspace"
2835

2936
[licenses]

0 commit comments

Comments
 (0)