Skip to content

ci: cargo audit hard-fails repo-wide on RUSTSEC-2026-0204 (crossbeam-epoch); bump to 0.9.20 #162

Description

@beardthelion

cargo audit began hard-failing on every open PR (and main on its next run) after the RustSec advisory-db picked up RUSTSEC-2026-0204 around 2026-07-06/07. The gate is hard-fail-by-design (.github/workflows/pr-checks.yml: "a green check here means 'no NEW advisories'"), so a newly published advisory reds CI until it is triaged. Green statuses on some open PRs are stale runs from before the advisory-db update (last green run was 2026-07-06 16:58; the first fresh runs on 2026-07-07 03:xx, on unrelated PRs, both fail).

Advisory

RUSTSEC-2026-0204: invalid pointer dereference in crossbeam-epoch's fmt::Pointer impl for Atomic and Shared. Present version 0.9.18, patched in >= 0.9.20. (Six other crates report as yellow unmaintained/unsound warnings and do not affect exit status; only this one hard-fails.)

Source (fully transitive)

crossbeam-epoch 0.9.18 -> moka 0.12.15 -> hickory-resolver 0.25.2 -> libp2p-dns 0.44.0 -> gitlawb-node

Not a direct dependency and not introduced by any current feature/fix PR: the shared Cargo.lock carries it, so this is repo-wide. Reproduced locally with cargo audit (exit 1, 1 vulnerability found).

Fix (verified viable)

cargo update -p crossbeam-epoch --precise 0.9.20

moka 0.12.15 requires crossbeam-epoch = "0.9.18" (caret range >=0.9.18, <0.10.0), which admits 0.9.20. The bump resolves cleanly with no other graph changes, touches only Cargo.lock, and cargo audit returns exit 0 afterward (verified by applying then reverting). This is the advisory's own prescribed remediation.

Do not add RUSTSEC-2026-0204 to .cargo/audit.toml: that ignore list is reserved for advisories with no available upstream fix (per the file's own comment), and a patched release exists here.

Scope

Land the bump on main (or a small dedicated PR against main). It clears the red cargo audit for all branches at once and should not ride inside an unrelated PR that otherwise touches no dependency files. Same tracking shape as #76 (advisory hygiene for the libp2p/hickory chain).

Metadata

Metadata

Assignees

No one assigned

    Labels

    crate:nodegitlawb-node — the serving node and REST APIkind:ciCI, release, or packaging pipelinekind:securityVulnerability fix or hardeningsev:mediumDegraded but workaround existssubsystem:peersPeer announce, discovery, and registry

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions