mirror of
https://github.com/ruvnet/RuVector.git
synced 2026-05-28 18:13:33 +00:00
f6cae8114c
iter-219's workspace re-inclusion (closing ADR-178 Gap E) had a
foreseeable-but-unspotted side effect on the iter-178
audit workflow: pre-iter-219 the hailo cluster crate had its own
narrower Cargo.lock, so `cargo audit --deny warnings` saw only the
deps that crate directly pulled in. Post-iter-219 with the workspace
lock, cargo-audit reads the wider tree and surfaces three advisories
that **deny.toml had already ignored** (iter 177 + iter 219):
RUSTSEC-2024-0436 paste (unmaintained, transitive
via candle/cpu-fallback)
RUSTSEC-2025-0134 rustls-pemfile (transitive via tonic-tls)
RUSTSEC-2025-0141 bincode 1.x (workspace-wide pin via
rkyv et al.)
cargo-audit and cargo-deny use separate config — deny.toml's
[advisories] ignore list isn't honored by cargo-audit. The fix is
to mirror the same three IDs into the CI workflow's `cargo audit`
invocation as `--ignore` flags.
Verified locally:
Pre-fix: cargo audit --deny warnings → "error: 3 denied warnings"
Post-fix: cargo audit --deny warnings --ignore <three> → exit 0
Each `--ignore` carries a backtick-comment naming the package + why
it's transitive — same rationale as the deny.toml entries so the two
config sources drift together if someone updates one.
This isn't a real new vulnerability — these advisories existed in
the workspace tree all along; iter-219 just exposed them to the
cluster-crate audit step. iter-178's CI gate stays green without
weakening; the substantive remediation (workspace-wide rkyv /
candle-stack updates) belongs to a workspace-wide cleanup iter.
No code change; CI config + workflow comment.
Co-Authored-By: claude-flow <ruv@ruv.net>
|
||
|---|---|---|
| .. | ||
| agentic-synth-ci.yml | ||
| benchmarks.yml | ||
| build-attention.yml | ||
| build-diskann.yml | ||
| build-gnn.yml | ||
| build-graph-node.yml | ||
| build-graph-transformer.yml | ||
| build-native.yml | ||
| build-router.yml | ||
| build-rvf-node.yml | ||
| build-tiny-dancer.yml | ||
| build-verified.yml | ||
| ci.yml | ||
| clippy-fmt.yml | ||
| copilot-setup-steps.yml | ||
| docker-publish.yml | ||
| edge-net-models.yml | ||
| hailo-backend-audit.yml | ||
| hooks-ci.yml | ||
| mirror-rulake.yml | ||
| postgres-extension-ci.yml | ||
| publish-all.yml | ||
| RELEASE-FLOW.md | ||
| release-rvf-cli.yml | ||
| RELEASE.md | ||
| release.yml | ||
| ruvector-postgres-ci.yml | ||
| ruvllm-benchmarks.yml | ||
| ruvllm-build.yml | ||
| ruvllm-esp32-firmware.yml | ||
| ruvllm-native.yml | ||
| ruvltra-tests.yml | ||
| sona-napi.yml | ||
| sync-rvf-examples.yml | ||
| thermorust-ci.yml | ||
| ui-ci.yml | ||
| validate-lockfile.yml | ||
| wasm-dedup-check.yml | ||