Commit 0519cae
chore: bump regorus 0.2.8 → 0.10 to fully clear RUSTSEC-2026-0097
The audit fix in PR #110 bumped rand 0.9.x to 0.9.4 but left the
residual rand 0.8.5 in place (pulled by regorus 0.2.8). That instance
was carried under an --ignore RUSTSEC-2026-0097 in supply-chain.yml
and deny.toml with a comment "tracked for upstream resolution; sigil
does not use custom rand loggers."
regorus 0.10 is now out and drops the rand 0.8.5 transitive from the
dep graph entirely. With it gone, the ignore entry in deny.toml and
the matching --ignore flag in supply-chain.yml are no longer needed —
cargo audit returns 0 vulnerabilities (excluding the unmaintained
rustls-pemfile, which stays in the ignore list pending upstream
deprecation).
The regorus dep is feature-gated behind `--features rego` and is
optional for power users of the Rego policy language; default builds
do not use it. cargo build (default), cargo build --features rego,
and cargo test --no-run --features rego all clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>1 parent 57c5b71 commit 0519cae
4 files changed
Lines changed: 355 additions & 206 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
48 | 48 | | |
49 | 49 | | |
50 | 50 | | |
51 | | - | |
52 | | - | |
53 | | - | |
54 | | - | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
55 | 54 | | |
56 | 55 | | |
57 | 56 | | |
| |||
61 | 60 | | |
62 | 61 | | |
63 | 62 | | |
64 | | - | |
65 | | - | |
| 63 | + | |
66 | 64 | | |
67 | 65 | | |
68 | 66 | | |
| |||
0 commit comments