From 5744b85b9a6e154ecfbbc9390def266ca789b45d Mon Sep 17 00:00:00 2001 From: jif-oai Date: Fri, 1 May 2026 18:15:38 +0200 Subject: [PATCH] fix: cargo deny (#20627) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix cargo deny by ack the `RUSTSEC` while a fix land ``` RUSTSEC-2026-0118 NSEC3 closest-encloser proof validation enters unbounded loop on cross-zone responses RUSTSEC-2026-0119 CPU exhaustion during message encoding due to O(n²) name compression Dependency path: hickory-proto 0.25.2 └── hickory-resolver 0.25.2 └── rama-dns 0.3.0-alpha.4 └── rama-tcp 0.3.0-alpha.4 └── codex-network-proxy ``` Also upgrade some workers version to prevent this: ``` warning[license-not-encountered]: license was not encountered ┌─ ./codex-rs/deny.toml:131:6 │ 131 │ "OpenSSL", │ ━━━━━━━ unmatched license allowance warning[duplicate]: found 2 duplicate entries for crate 'base64' ┌─ /github/workspace/codex-rs/Cargo.lock:79:1 │ 79 │ ╭ base64 0.21.7 registry+https://github.com/rust-lang/crates.io-index 80 │ │ base64 0.22.1 registry+https://github.com/rust-lang/crates.io-index │ ╰───────────────────────────────────────────────────────────────────┘ lock entries ``` --- .github/workflows/cargo-deny.yml | 4 ++-- .github/workflows/rust-release.yml | 2 +- codex-rs/.cargo/audit.toml | 2 ++ codex-rs/.github/workflows/cargo-audit.yml | 2 +- codex-rs/deny.toml | 2 ++ 5 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/cargo-deny.yml b/.github/workflows/cargo-deny.yml index 5294d0c7c5..46ecc97dd1 100644 --- a/.github/workflows/cargo-deny.yml +++ b/.github/workflows/cargo-deny.yml @@ -17,10 +17,10 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable + uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0 - name: Run cargo-deny uses: EmbarkStudios/cargo-deny-action@82eb9f621fbc699dd0918f3ea06864c14cc84246 # v2 with: - rust-version: stable + rust-version: 1.93.0 manifest-path: ./codex-rs/Cargo.toml diff --git a/.github/workflows/rust-release.yml b/.github/workflows/rust-release.yml index 073ba58210..faab87f97b 100644 --- a/.github/workflows/rust-release.yml +++ b/.github/workflows/rust-release.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: dtolnay/rust-toolchain@c2b55edffaf41a251c410bb32bed22afefa800f1 # 1.92 + - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0 - name: Validate tag matches Cargo.toml version shell: bash run: | diff --git a/codex-rs/.cargo/audit.toml b/codex-rs/.cargo/audit.toml index 4d9e4b81ed..9f029ada1d 100644 --- a/codex-rs/.cargo/audit.toml +++ b/codex-rs/.cargo/audit.toml @@ -6,4 +6,6 @@ ignore = [ "RUSTSEC-2024-0436", # paste 1.0.15 via starlark/ratatui; upstream crate is unmaintained "RUSTSEC-2024-0320", # yaml-rust via syntect; remove when syntect drops or updates it "RUSTSEC-2025-0141", # bincode via syntect; remove when syntect drops or updates it + "RUSTSEC-2026-0118", # hickory-proto via rama-dns/rama-tcp; remove when rama updates to hickory 0.26.1 or hickory-net + "RUSTSEC-2026-0119", # hickory-proto via rama-dns/rama-tcp; remove when rama updates to hickory 0.26.1 or hickory-net ] diff --git a/codex-rs/.github/workflows/cargo-audit.yml b/codex-rs/.github/workflows/cargo-audit.yml index e75c841ab4..0c41471b65 100644 --- a/codex-rs/.github/workflows/cargo-audit.yml +++ b/codex-rs/.github/workflows/cargo-audit.yml @@ -17,7 +17,7 @@ jobs: working-directory: codex-rs steps: - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0 - name: Install cargo-audit uses: taiki-e/install-action@v2 with: diff --git a/codex-rs/deny.toml b/codex-rs/deny.toml index b153ba80a8..a1ae5e96b3 100644 --- a/codex-rs/deny.toml +++ b/codex-rs/deny.toml @@ -78,6 +78,8 @@ ignore = [ # TODO(fcoury): remove this exception when syntect drops yaml-rust and bincode, or updates to versions that have fixed the vulnerabilities. { id = "RUSTSEC-2024-0320", reason = "yaml-rust is unmaintained; pulled in via syntect v5.3.0 used by codex-tui for syntax highlighting; no fixed release yet" }, { id = "RUSTSEC-2025-0141", reason = "bincode is unmaintained; pulled in via syntect v5.3.0 used by codex-tui for syntax highlighting; no fixed release yet" }, + { id = "RUSTSEC-2026-0118", reason = "hickory-proto v0.25.2 is pulled in via rama-dns/rama-tcp used by codex-network-proxy; DNSSEC features are not enabled; remove when rama updates to hickory 0.26.1 or hickory-net" }, + { id = "RUSTSEC-2026-0119", reason = "hickory-proto v0.25.2 is pulled in via rama-dns/rama-tcp used by codex-network-proxy; no fixed rama release is available yet; remove when rama updates to hickory 0.26.1 or hickory-net" }, ] # If this is true, then cargo deny will use the git executable to fetch advisory database. # If this is false, then it uses a built-in git library.