ruvnet f6cae8114c ci(hailo): mirror deny.toml advisory ignores into cargo-audit (iter 224) ... iter-219's workspace re-inclusion (closing ADR-178 Gap E) had a foreseeable-but-unspotted side effect on the iter-178 audit workflow: pre-iter-219 the hailo cluster crate had its own narrower Cargo.lock, so `cargo audit --deny warnings` saw only the deps that crate directly pulled in. Post-iter-219 with the workspace lock, cargo-audit reads the wider tree and surfaces three advisories that **deny.toml had already ignored** (iter 177 + iter 219): RUSTSEC-2024-0436 paste (unmaintained, transitive via candle/cpu-fallback) RUSTSEC-2025-0134 rustls-pemfile (transitive via tonic-tls) RUSTSEC-2025-0141 bincode 1.x (workspace-wide pin via rkyv et al.) cargo-audit and cargo-deny use separate config — deny.toml's [advisories] ignore list isn't honored by cargo-audit. The fix is to mirror the same three IDs into the CI workflow's `cargo audit` invocation as `--ignore` flags. Verified locally: Pre-fix: cargo audit --deny warnings → "error: 3 denied warnings" Post-fix: cargo audit --deny warnings --ignore <three> → exit 0 Each `--ignore` carries a backtick-comment naming the package + why it's transitive — same rationale as the deny.toml entries so the two config sources drift together if someone updates one. This isn't a real new vulnerability — these advisories existed in the workspace tree all along; iter-219 just exposed them to the cluster-crate audit step. iter-178's CI gate stays green without weakening; the substantive remediation (workspace-wide rkyv / candle-stack updates) belongs to a workspace-wide cleanup iter. No code change; CI config + workflow comment. Co-Authored-By: claude-flow <ruv@ruv.net>		2026-05-03 22:39:47 -04:00
..
benchmarks	feat: Add Neo4j-compatible hypergraph database package (ruvector-graph)	2025-11-25 23:11:54 +00:00
workflows	ci(hailo): mirror deny.toml advisory ignores into cargo-audit (iter 224)	2026-05-03 22:39:47 -04:00