Skip to content

cherry pick Add RUSTSEC-2026-0173 exception (#882)#883

Merged
jerrysxie merged 1 commit into
OpenDevicePartnership:stable-v0.1.yfrom
RobertZ2011:cherry-pick-deny
Jun 8, 2026
Merged

cherry pick Add RUSTSEC-2026-0173 exception (#882)#883
jerrysxie merged 1 commit into
OpenDevicePartnership:stable-v0.1.yfrom
RobertZ2011:cherry-pick-deny

Conversation

@RobertZ2011

@RobertZ2011 RobertZ2011 commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

No description provided.

@RobertZ2011 RobertZ2011 self-assigned this Jun 8, 2026
Copilot AI review requested due to automatic review settings June 8, 2026 20:22
@RobertZ2011 RobertZ2011 requested a review from a team as a code owner June 8, 2026 20:22
Copilot AI reviewed Jun 8, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Summary of changes

This PR updates the cargo-deny advisories configuration to keep cargo deny check advisories passing in the presence of new RustSec advisories. It adds an explicit ignore entry for RUSTSEC-2026-0173 and updates the rationale text for the existing RUSTSEC-2026-0110 ignore. The intent is to document that the affected crates are deprecated/unmaintained and that remediation depends on upstream dependency migration.

Changes:

  • Update the ignore rationale for RUSTSEC-2026-0110 to clarify the dependency chain (via cortex-m).
  • Add an ignore entry for RUSTSEC-2026-0173 with a short justification.

Step-by-step review guide

  1. Advisory allowlisting update (RustSec ignores)

    • What changed: The [advisories].ignore list now includes RUSTSEC-2026-0173, and the reason for RUSTSEC-2026-0110 was rewritten.
    • Why it matters: These entries control whether CI/tooling will block on advisory findings. Keeping reasons accurate helps future maintainers understand the risk acceptance and what needs to change upstream to remove the exception.

  2. Reason text refinement for existing ignore

    • What changed: The RUSTSEC-2026-0110 reason now explicitly notes bare-metal is deprecated/archived and that cortex-m depends on it.
    • Why it matters: This improves traceability for why the repo is accepting the advisory and what upstream needs to change to resolve it.

Potential issues

No issues identified in the proposed change.

# Severity File Description Code

@jerrysxie jerrysxie merged commit 505680d into OpenDevicePartnership:stable-v0.1.y Jun 8, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kurtjd kurtjd kurtjd approved these changes

@jerrysxie jerrysxie jerrysxie approved these changes

@tullom tullom Awaiting requested review from tullom tullom is a code owner automatically assigned from OpenDevicePartnership/ec-code-owners

@williampMSFT williampMSFT Awaiting requested review from williampMSFT williampMSFT is a code owner automatically assigned from OpenDevicePartnership/ec-code-owners

@felipebalbi felipebalbi Awaiting requested review from felipebalbi felipebalbi is a code owner automatically assigned from OpenDevicePartnership/ec-code-owners

Assignees

@RobertZ2011 RobertZ2011

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@RobertZ2011 @kurtjd @jerrysxie