fix(deny): ignore RUSTSEC-2026-0192 (ttf-parser unmaintained)#26
Merged
Merged
Conversation
ttf-parser's author declared the crate unmaintained on 2026-06-30 (RUSTSEC-2026-0192). It is a deep transitive dep of the mermaid SVG->raster pipeline (mermaid-rs-renderer -> fontdb/usvg/resvg/ rustybuzz -> ttf-parser); every version is flagged, so there is no upgrade escape, and the whole resvg/usvg/fontdb/ttf-parser stack shares one upstream author. It is an unmaintained notice, not a security vulnerability. This is the first master CI run to fetch the advisory after it was published, which is why #25's post-merge run went red despite the PR-branch run passing the day before — no code change caused it. Handled the same way as the existing syntect transitive ignores: documented ignore with the upstream blocker cited for quarterly re-audit. `cargo deny check` is green again locally. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What broke
The post-merge master CI run for #25 (
chore(deps): Bump the patch-and-minor group) failed on the cargo-deny job — every other job (build, tests, clippy, fmt, docs, audit) was green.Root cause — advisory drift, not a code defect
This was not caused by #25's dependency bumps.
ttf-parser's author declared the crate unmaintained on 2026-06-30, and RustSec published RUSTSEC-2026-0192 that day. #25's own PR-branch CI ran on 06-29 (green); the post-merge master run on 06-30 was simply the first run to fetch the updated advisory DB. Any push to master that day would have failed identically.ttf-parseris a deep transitive dependency of the mermaid SVG→raster pipeline:Every version of
ttf-parseris flagged (the crate itself is unmaintained), so there is no upgrade escape. The wholeresvg/usvg/fontdb/ttf-parserstack shares a single upstream author; we can only drop this once that ecosystem migrates offttf-parser. It is an unmaintained notice, not a security vulnerability (no CVE, no exploit).Fix
Add a documented ignore for RUSTSEC-2026-0192 in
deny.toml— the same pattern already used for syntect's transitive unmaintained deps (bincode, yaml-rust): the ignore cites the upstream blocker and is flagged for the quarterly re-audit, so it gets revisited (and dropped) the moment resvg/usvg ship a release withoutttf-parser.Upstream tracking: harfbuzz/ttf-parser#217
Verification
cargo deny checklocally → advisories ok, bans ok, licenses ok, sources ok.Follow-up
Re-audit at the next quarterly deny sweep: check whether
resvg/usvg/fontdbhave released a version that dropsttf-parser, and if so remove this ignore and bumpmermaid-rs-renderer.🤖 Generated with Claude Code