cargo audit began hard-failing on every open PR (and main on its next run) after the RustSec advisory-db picked up RUSTSEC-2026-0204 around 2026-07-06/07. The gate is hard-fail-by-design (.github/workflows/pr-checks.yml: "a green check here means 'no NEW advisories'"), so a newly published advisory reds CI until it is triaged. Green statuses on some open PRs are stale runs from before the advisory-db update (last green run was 2026-07-06 16:58; the first fresh runs on 2026-07-07 03:xx, on unrelated PRs, both fail).
Advisory
RUSTSEC-2026-0204: invalid pointer dereference in crossbeam-epoch's fmt::Pointer impl for Atomic and Shared. Present version 0.9.18, patched in >= 0.9.20. (Six other crates report as yellow unmaintained/unsound warnings and do not affect exit status; only this one hard-fails.)
Source (fully transitive)
crossbeam-epoch 0.9.18 -> moka 0.12.15 -> hickory-resolver 0.25.2 -> libp2p-dns 0.44.0 -> gitlawb-node
Not a direct dependency and not introduced by any current feature/fix PR: the shared Cargo.lock carries it, so this is repo-wide. Reproduced locally with cargo audit (exit 1, 1 vulnerability found).
Fix (verified viable)
cargo update -p crossbeam-epoch --precise 0.9.20
moka 0.12.15 requires crossbeam-epoch = "0.9.18" (caret range >=0.9.18, <0.10.0), which admits 0.9.20. The bump resolves cleanly with no other graph changes, touches only Cargo.lock, and cargo audit returns exit 0 afterward (verified by applying then reverting). This is the advisory's own prescribed remediation.
Do not add RUSTSEC-2026-0204 to .cargo/audit.toml: that ignore list is reserved for advisories with no available upstream fix (per the file's own comment), and a patched release exists here.
Scope
Land the bump on main (or a small dedicated PR against main). It clears the red cargo audit for all branches at once and should not ride inside an unrelated PR that otherwise touches no dependency files. Same tracking shape as #76 (advisory hygiene for the libp2p/hickory chain).
cargo auditbegan hard-failing on every open PR (andmainon its next run) after the RustSec advisory-db picked upRUSTSEC-2026-0204around 2026-07-06/07. The gate is hard-fail-by-design (.github/workflows/pr-checks.yml: "a green check here means 'no NEW advisories'"), so a newly published advisory reds CI until it is triaged. Green statuses on some open PRs are stale runs from before the advisory-db update (last green run was 2026-07-06 16:58; the first fresh runs on 2026-07-07 03:xx, on unrelated PRs, both fail).Advisory
RUSTSEC-2026-0204: invalid pointer dereference incrossbeam-epoch'sfmt::Pointerimpl forAtomicandShared. Present version0.9.18, patched in>= 0.9.20. (Six other crates report as yellowunmaintained/unsoundwarnings and do not affect exit status; only this one hard-fails.)Source (fully transitive)
Not a direct dependency and not introduced by any current feature/fix PR: the shared
Cargo.lockcarries it, so this is repo-wide. Reproduced locally withcargo audit(exit 1,1 vulnerability found).Fix (verified viable)
moka 0.12.15requirescrossbeam-epoch = "0.9.18"(caret range>=0.9.18, <0.10.0), which admits0.9.20. The bump resolves cleanly with no other graph changes, touches onlyCargo.lock, andcargo auditreturns exit 0 afterward (verified by applying then reverting). This is the advisory's own prescribed remediation.Do not add
RUSTSEC-2026-0204to.cargo/audit.toml: that ignore list is reserved for advisories with no available upstream fix (per the file's own comment), and a patched release exists here.Scope
Land the bump on
main(or a small dedicated PR againstmain). It clears the redcargo auditfor all branches at once and should not ride inside an unrelated PR that otherwise touches no dependency files. Same tracking shape as #76 (advisory hygiene for the libp2p/hickory chain).