chore(ci): security-audit gates on vulnerabilities only (v0.5.881)

`cargo audit --deny warnings` escalated every "unmaintained crate"
notice to a hard PR-blocking failure. Most flagged crates (adler,
fxhash, paste, number_prefix, bincode v1) are transitive deps from
upstream with no in-tree replacement — blocked merges without
actionable fix.

Drop `--deny warnings`; cargo-audit's default already fails on
`vulnerability` advisories (real CVEs). High-severity gate stays
on (rsa RUSTSEC-2023-0071, hickory-proto RUSTSEC-2026-0118/0119
still fail the job). Unmaintained/notice/unsound/yanked surface
as warnings in the log without blocking.

Author: proggeramlug

.github/workflows/security-audit.yml

@@ -27,4 +27,17 @@ jobs:
       - name: Install cargo-audit
         run: cargo install cargo-audit --locked
       - name: Run cargo audit
-        run: cargo audit --deny warnings
+        # Default cargo-audit behavior: fail the run on `vulnerability`
+        # advisories (real CVEs), surface `unmaintained` / `notice` /
+        # `unsound` / `yanked` advisories as warnings in the log.
+        #
+        # Previously this job ran `--deny warnings`, which escalated
+        # every "unmaintained crate" notice into a hard failure. Most
+        # of those are transitive deps from upstream crates with no
+        # in-tree replacement (adler, fxhash, paste, number_prefix,
+        # bincode v1, etc.) — blocking PRs on them stalled merges
+        # without an actionable fix. Vulnerabilities still fail the
+        # job by default, so the high-severity gate (rsa
+        # RUSTSEC-2023-0071, hickory-proto RUSTSEC-2026-0118/0119, etc.)
+        # is preserved.
+        run: cargo audit