Skip to content

v3.0: Ignore security advisory from tracing-subscriber dep#7846

Merged
steviez merged 1 commit intoanza-xyz:v3.0from
steviez:ignore_tracing_subscriber_advisory
Sep 3, 2025
Merged

v3.0: Ignore security advisory from tracing-subscriber dep#7846
steviez merged 1 commit intoanza-xyz:v3.0from
steviez:ignore_tracing_subscriber_advisory

Conversation

@steviez
Copy link
Copy Markdown

@steviez steviez commented Sep 3, 2025

Problem

Crate:     tracing-subscriber
Version:   0.3.7
Title:     Logging user input may result in poisoning logs with ANSI escape sequences
Date:      2025-08-29
ID:        RUSTSEC-2025-0055
URL:       https://rustsec.org/advisories/RUSTSEC-2025-0055
Solution:  Upgrade to >=0.3.20
Dependency tree:
tracing-subscriber 0.3.7

Summary of Changes

Ignore the advisory given the callers of this dependency are not production code:

cargo tree --invert tracing-subscriber --depth 3
tracing-subscriber v0.3.20
└── tracing-opentelemetry v0.17.2
    └── tarpc v0.29.0
        ├── solana-banks-client v3.1.0 (/Users/steviez/src/solana/banks-client)
        ├── solana-banks-interface v3.1.0 (/Users/steviez/src/solana/banks-interface)
        └── solana-banks-server v3.1.0 (/Users/steviez/src/solana/banks-server)

@steviez
v3.0: Ignore sec. advisory from tracing-subscriber dep
f835e71 
The only users of this dependency are crates that support test harnesses
such as solana-program-test; this is not used in production code
@steviez steviez mentioned this pull request Sep 3, 2025
Closed
@steviez steviez changed the title v3.0: Ignore sec. advisory from tracing-subscriber dep v3.0: Ignore security advisory from tracing-subscriber Sep 3, 2025
@steviez steviez changed the title v3.0: Ignore security advisory from tracing-subscriber v3.0: Ignore security advisory from tracing-subscriber dep Sep 3, 2025
@steviez steviez marked this pull request as ready for review September 3, 2025 05:14
@steviez steviez requested a review from a team as a code owner September 3, 2025 05:14
@steviez steviez merged commit ddca2f9 into anza-xyz:v3.0 Sep 3, 2025
32 checks passed
@steviez steviez deleted the ignore_tracing_subscriber_advisory branch September 3, 2025 15:56
@steviez steviez mentioned this pull request Sep 3, 2025
Merged
@steviez steviez added the v2.3 label Sep 3, 2025
@mergify
Copy link
Copy Markdown

mergify Bot commented Sep 3, 2025

Backports to the stable branch are to be avoided unless absolutely necessary for fixing bugs, security issues, and perf regressions. Changes intended for backport should be structured such that a minimum effective diff can be committed separately from any refactoring, plumbing, cleanup, etc that are not strictly necessary to achieve the goal. Any of the latter should go only into master and ride the normal stabilization schedule.

mergify Bot pushed a commit that referenced this pull request Sep 3, 2025
@steviez @mergify
v3.0: Ignore security advisory from tracing-subscriber dep (#7846)
41c40b0 
The only users of this dependency are crates that support test harnesses
such as solana-program-test; this is not used in production code

(cherry picked from commit ddca2f9)
t-nelson pushed a commit that referenced this pull request Sep 3, 2025
@mergify @steviez
v2.3: Ignore security advisory from tracing-subscriber dep (backport of
b3ac317 
#7846) (#7858)

v3.0: Ignore security advisory from tracing-subscriber dep (#7846)

The only users of this dependency are crates that support test harnesses
such as solana-program-test; this is not used in production code

(cherry picked from commit ddca2f9)

Co-authored-by: steviez <steven@anza.xyz>
Japif pushed a commit to helius-labs/agave that referenced this pull request Feb 4, 2026
@steviez @Japif
v3.0: Ignore security advisory from tracing-subscriber dep (anza-xyz#…
27924a3 
…7846)

The only users of this dependency are crates that support test harnesses
such as solana-program-test; this is not used in production code
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@t-nelson t-nelson t-nelson approved these changes

@yihau yihau yihau approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@steviez @t-nelson @yihau