Merge pull request #3570 from joske/audit

chore: add audit.toml to ignore known unmaintained crates

Author: vicsn

.cargo/audit.toml

@@ -0,0 +1,6 @@
+[advisories]
+ignore = [
+  # As the rust community considers the paste crate 'done', we can safely ignore this warning.
+  # see https://users.rust-lang.org/t/paste-alternatives/126787/2
+  "RUSTSEC-2024-0436",
+]

.circleci/config.yml

@@ -400,16 +400,33 @@ jobs:
     steps:
       - checkout
       - setup_environment:
-          cache_key: v3.3.1-rust-1.83.0--cache
+          cache_key: v3.3.1-rust-1.83.0-machete-cache
       - run:
           name: Check for unused dependencies
-          no_output_timeout: 35m
+          no_output_timeout: 10m
           command: |
             cargo install cargo-machete@0.7.0
             cargo machete
       - clear_environment:
           cache_key: v3.3.1-rust-1.83.0-machete-cache
 
+  check-cargo-audit:
+    docker:
+      - image: cimg/rust:1.83.0 # Attention - Change the MSRV in Cargo.toml and rust-toolchain as well
+    resource_class: << pipeline.parameters.medium >>
+    steps:
+      - checkout
+      - setup_environment:
+          cache_key: v3.3.1-rust-1.83.0-cargo-audit-cache
+      - run:
+          name: Check for security vulnerabilities
+          no_output_timeout: 10m
+          command: |
+            cargo install cargo-audit@0.21.2 --locked
+            cargo audit -D warnings
+      - clear_environment:
+          cache_key: v3.3.1-rust-1.83.0-cargo-audit-cache
+
   check-clippy:
     docker:
       - image: cimg/rust:1.83.0 # Attention - Change the MSRV in Cargo.toml and rust-toolchain as well
@@ -466,6 +483,7 @@ workflows:
       - check-fmt
       - check-clippy
       - check-unused-dependencies
+      - check-cargo-audit
       - devnet-test
 
   windows-workflow: