From 017099215ceccd54b0b30466b1bc5e243be943f1 Mon Sep 17 00:00:00 2001 From: link2xt Date: Sun, 22 Mar 2026 04:04:42 +0100 Subject: [PATCH] chore: add RUSTSEC-2026-0049 exception to deny.toml We cannot upgrade the crate because it is a transitive dependency and the issue described in is not dangerous because it requiers a compromised CA and revoked certificate. Worst case that happens with iroh is that outer layer of encryption to iroh relay is compromised, but iroh traffic is still encrypted between peers without relying on CAs. --- deny.toml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/deny.toml b/deny.toml index c2a147ab9..d158832ba 100644 --- a/deny.toml +++ b/deny.toml @@ -17,6 +17,13 @@ ignore = [ # It is a transitive dependency of iroh 0.35.0, # this should be fixed by upgrading to iroh 1.0 once it is released. "RUSTSEC-2025-0134", + + # rustls-webpki v0.102.8 + # We cannot upgrade to >=0.103.10 because + # it is a transitive dependency of iroh 0.35.0 + # which depends on ^0.102. + # + "RUSTSEC-2026-0049", ] [bans]