Skip to content

fix(deny): ignore RUSTSEC-2026-0192 (ttf-parser unmaintained)#26

Merged
leboiko merged 1 commit into
masterfrom
fix/deny-ignore-ttf-parser-rustsec-2026-0192
Jul 2, 2026
Merged

fix(deny): ignore RUSTSEC-2026-0192 (ttf-parser unmaintained)#26
leboiko merged 1 commit into
masterfrom
fix/deny-ignore-ttf-parser-rustsec-2026-0192

Conversation

@leboiko

@leboiko leboiko commented Jul 1, 2026

Copy link
Copy Markdown
Owner

What broke

The post-merge master CI run for #25 (chore(deps): Bump the patch-and-minor group) failed on the cargo-deny job — every other job (build, tests, clippy, fmt, docs, audit) was green.

error[unmaintained]: `ttf-parser` is unmaintained
  ID: RUSTSEC-2026-0192
  https://rustsec.org/advisories/RUSTSEC-2026-0192

Root cause — advisory drift, not a code defect

This was not caused by #25's dependency bumps. ttf-parser's author declared the crate unmaintained on 2026-06-30, and RustSec published RUSTSEC-2026-0192 that day. #25's own PR-branch CI ran on 06-29 (green); the post-merge master run on 06-30 was simply the first run to fetch the updated advisory DB. Any push to master that day would have failed identically.

ttf-parser is a deep transitive dependency of the mermaid SVG→raster pipeline:

mermaid-rs-renderer -> fontdb / usvg / resvg / rustybuzz -> ttf-parser 0.25.1

Every version of ttf-parser is flagged (the crate itself is unmaintained), so there is no upgrade escape. The whole resvg/usvg/fontdb/ttf-parser stack shares a single upstream author; we can only drop this once that ecosystem migrates off ttf-parser. It is an unmaintained notice, not a security vulnerability (no CVE, no exploit).

Fix

Add a documented ignore for RUSTSEC-2026-0192 in deny.toml — the same pattern already used for syntect's transitive unmaintained deps (bincode, yaml-rust): the ignore cites the upstream blocker and is flagged for the quarterly re-audit, so it gets revisited (and dropped) the moment resvg/usvg ship a release without ttf-parser.

Upstream tracking: harfbuzz/ttf-parser#217

Verification

cargo deny check locally → advisories ok, bans ok, licenses ok, sources ok.

Follow-up

Re-audit at the next quarterly deny sweep: check whether resvg/usvg/fontdb have released a version that drops ttf-parser, and if so remove this ignore and bump mermaid-rs-renderer.

🤖 Generated with Claude Code

ttf-parser's author declared the crate unmaintained on 2026-06-30
(RUSTSEC-2026-0192). It is a deep transitive dep of the mermaid
SVG->raster pipeline (mermaid-rs-renderer -> fontdb/usvg/resvg/
rustybuzz -> ttf-parser); every version is flagged, so there is no
upgrade escape, and the whole resvg/usvg/fontdb/ttf-parser stack
shares one upstream author. It is an unmaintained notice, not a
security vulnerability.

This is the first master CI run to fetch the advisory after it was
published, which is why #25's post-merge run went red despite the
PR-branch run passing the day before — no code change caused it.

Handled the same way as the existing syntect transitive ignores:
documented ignore with the upstream blocker cited for quarterly
re-audit. `cargo deny check` is green again locally.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@leboiko leboiko merged commit a1f17a0 into master Jul 2, 2026
10 checks passed
@leboiko leboiko deleted the fix/deny-ignore-ttf-parser-rustsec-2026-0192 branch July 2, 2026 20:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant