This follow-up comes from PR #6418. cargo-deny still reports RUSTSEC-2026-0097 because libp2p-floodsub pulls in rand 0.7.3 through cuckoofilter 0.5.0.
The current dependency path is:
rand 0.7.3
└── cuckoofilter 0.5.0
└── libp2p-floodsub
The fixable rand lines can be updated in Cargo.lock (0.8.6, 0.9.3, and 0.10.1), but RustSec does not list a patched rand 0.7.x release. cuckoofilter also has no newer crates.io release than 0.5.0.
A likely fix is to replace cuckoofilter in protocols/floodsub with a bounded duplicate-message cache, for example using the existing workspace hashlink dependency. The replacement should keep floodsub duplicate suppression bounded and avoid changing the public API if possible.
Once rand 0.7.3 is gone, remove the temporary RUSTSEC-2026-0097 advisory ignore from deny.toml.
This follow-up comes from PR #6418.
cargo-denystill reportsRUSTSEC-2026-0097becauselibp2p-floodsubpulls inrand 0.7.3throughcuckoofilter 0.5.0.The current dependency path is:
The fixable
randlines can be updated inCargo.lock(0.8.6,0.9.3, and0.10.1), but RustSec does not list a patchedrand 0.7.xrelease.cuckoofilteralso has no newer crates.io release than0.5.0.A likely fix is to replace
cuckoofilterinprotocols/floodsubwith a bounded duplicate-message cache, for example using the existing workspacehashlinkdependency. The replacement should keep floodsub duplicate suppression bounded and avoid changing the public API if possible.Once
rand 0.7.3is gone, remove the temporaryRUSTSEC-2026-0097advisory ignore fromdeny.toml.