Skip to content

ci(deny): ignore quick-xml RUSTSEC-2026-0194/0195 pending upstream bump#193

Merged
thewrz merged 1 commit into
mainfrom
fix/deny-quick-xml-advisories
Jul 6, 2026
Merged

ci(deny): ignore quick-xml RUSTSEC-2026-0194/0195 pending upstream bump#193
thewrz merged 1 commit into
mainfrom
fix/deny-quick-xml-advisories

Conversation

@thewrz

@thewrz thewrz commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

Why

Two RustSec advisories published against quick-xml 0.39.4 (RUSTSEC-2026-0194 quadratic attribute check, RUSTSEC-2026-0195 unbounded namespace allocation) broke the Deny CI job on main and every open PR branch. Both are patched only in quick-xml >= 0.41.0, and the sole consumer — wayland-scanner, a build-time proc-macro parsing vendored Wayland protocol XML — has no release requiring 0.41 yet. Neither DoS is reachable at runtime: HonkHonk never parses untrusted XML.

What

Adds temporary, documented deny.toml ignores for both advisories (same pattern as the existing RUSTSEC-2024-0436 / RUSTSEC-2026-0192 entries), with an explicit removal condition: drop them when wayland-scanner moves to quick-xml 0.41. The same commit is cherry-picked onto the five open PR branches so their CI can settle.

Testing

  • cargo deny check passes locally (advisories, bans, licenses, sources all ok)
  • CI green

🤖 Co-authored by Claude Fable 5. Closes #192.

Summary by CodeRabbit

  • Chores
    • Updated security advisory settings to account for two newly identified issues.
    • Added notes indicating the affected case is limited to build-time processing, with no runtime impact currently expected.

Both advisories are DoS-via-untrusted-XML in quick-xml < 0.41. The sole
consumer is wayland-scanner, a build-time proc-macro parsing vendored
Wayland protocol XML; no untrusted XML is parsed at runtime, so neither
issue is reachable in the shipped binary. wayland-scanner 0.31.10
(latest) still pins quick-xml ^0.39 — drop these ignores when it moves
to 0.41.

Closes #192.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 0eb00388-4376-4f92-a8e6-45ffa58c762f

📥 Commits

Reviewing files that changed from the base of the PR and between fa80c57 and d6d3cd2.

📒 Files selected for processing (1)
  • deny.toml

📝 Walkthrough

Walkthrough

The deny.toml advisories ignore list is extended with two new RustSec advisory suppressions, RUSTSEC-2026-0194 and RUSTSEC-2026-0195, accompanied by comments explaining the build-time-only exposure through the wayland-scanner proc-macro.

Changes

Advisory suppression update

Layer / File(s) Summary
Add new RustSec advisory ignores
deny.toml
Adds RUSTSEC-2026-0194 and RUSTSEC-2026-0195 to the ignore list with rationale comments noting the quick-xml vulnerability is only triggered at build time via wayland-scanner parsing vendored XML, and no patched upstream release exists yet.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Related issues: #192 — documents the RUSTSEC-2026-0194/0195 CI failures and the temporary ignore-based fix implemented in this PR.

Suggested labels: ci, dependencies, security

Suggested reviewers: wrzonance

Poem
A rabbit hops through XML weeds,
Two advisories flagged with care,
"Build-time only," the comment reads,
No runtime parsing lurking there.
Ignore, ignore, till quick-xml's new —
Hop on, the Deny job passes through! 🐇

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the change: temporarily ignoring the quick-xml RustSec advisories in deny CI.
Linked Issues check ✅ Passed The deny.toml ignores and build-time-only rationale match the linked issue's temporary fix for RUSTSEC-2026-0194/0195.
Out of Scope Changes check ✅ Passed The PR only updates deny.toml with the documented advisory ignores and adds no unrelated changes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/deny-quick-xml-advisories

Comment @coderabbitai help to get the list of available commands.

@thewrz thewrz marked this pull request as ready for review July 6, 2026 14:04
@thewrz

thewrz commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator Author

Review gate: CodeRabbit produced no walkthrough/review on this PR (green check is only the ack), so Codex (GPT-5.5, adversarial) served as the review gate per the review loop's backup path.

Codex verdict — no findings. It independently confirmed the exposure assessment: quick-xml is only present through the wayland-scanner proc-macro (build-time, vendored protocol XML), so the runtime DoS risk described by RUSTSEC-2026-0194/0195 is not introduced or reachable via this patch, and the scoped ignores with a removal condition are the appropriate mitigation until wayland-scanner moves to quick-xml ≥ 0.41.

@thewrz thewrz merged commit 54f626a into main Jul 6, 2026
7 checks passed
@thewrz thewrz deleted the fix/deny-quick-xml-advisories branch July 6, 2026 14:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ci(deny): RUSTSEC-2026-0194/0195 (quick-xml 0.39) fail the Deny job on every branch

1 participant