google-cloud-rust icon indicating copy to clipboard operation
google-cloud-rust copied to clipboard
verified publisher icon googleapis

Run a nightly CI with the results from `cargo-audit`

Open coryan opened this issue 1 month ago • 2 comments

cargo-audit can report new CVEs in our dependency graph. We should run a nightly CI that reports any new CVEs (and we need to keep an ignore list).

This is not suitable for PRs because new CVEs can appear at random and we do not want to block development on them.

coryan avatar Dec 01 '25 17:12 coryan

@coryan where do you think we should be notified of the results ? I was thinking about this while debugging the related issue and wasn't sure the best way to do that.

And I agree on not running on PRs and the ignore list. For example, but running cargo audit in the repo, we can see the issue with rsa that would block and an issue with the paste crate that is just a warning.

alvarowolfx avatar Dec 01 '25 17:12 alvarowolfx

[ where do you think we should be notified of the results ? I was thinking about this while debugging the related issue and wasn't sure the best way to do that.

@amanda-tarafa is working on a notification to a dedicated chat room. See #3931

And I agree on not running on PRs and the ignore list. For example, but running cargo audit in the repo, we can see the issue with rsa that would block

Ack.

and an issue with the paste crate that is just a warning.

FWIW, paste is fixed as-of #3935.

coryan avatar Dec 01 '25 17:12 coryan