From 3dcdd4c7d843c51b3ad77441287ba50be8f2c04f Mon Sep 17 00:00:00 2001 From: Eval Exec Date: Wed, 17 Jun 2026 05:12:18 -0400 Subject: [PATCH] fix: ignore RUSTSEC-2026-0097 (rand 0.7.3 unsoundness) in security-audit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The rand 0.7.3 unsoundness (RUSTSEC-2026-0097) requires ALL of: - Calling rand::thread_rng() from inside a custom log::Log implementation - Trace-level logging active (or warn-level + getrandom failure) ckb-cli uses rand only in normal code paths (keystore salt generation, mock tx helper) — never inside a custom logger. The advisory is not exploitable here. Cannot semver-bump rand to 0.8 due to upstream deps pinning 0.7: ckb-vm, jsonrpc-pubsub, numext-fixed-uint-core. make security-audit now exits 0 with zero errors. --- deny.toml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/deny.toml b/deny.toml index 36497dc8..b6b8fb3f 100644 --- a/deny.toml +++ b/deny.toml @@ -72,7 +72,13 @@ feature-depth = 1 ignore = [ "RUSTSEC-2021-0145", "RUSTSEC-2024-0421", # https://rustsec.org/advisories/RUSTSEC-2024-0421 - "RUSTSEC-2026-0009" # CVE: RFC2822 parser stack recursion in time 0.3.41 + "RUSTSEC-2026-0009", # CVE: RFC2822 parser stack recursion in time 0.3.41 + # RUSTSEC-2026-0097: rand 0.7.3 unsoundness requires calling + # rand::thread_rng() from inside a custom log::Log implementation while + # trace-level logging is active. ckb-cli uses rand only in normal code + # paths (keystore salt generation, mock tx helper), never in a logger. + # Cannot semver-bump rand due to ckb-vm / jsonrpc-pubsub dep constraints. + "RUSTSEC-2026-0097", #"RUSTSEC-0000-0000", #{ id = "RUSTSEC-0000-0000", reason = "you can specify a reason the advisory is ignored" }, #"a-crate-that-is-yanked@0.1.1", # you can also ignore yanked crate versions if you wish