chore(rust): remove stale RUSTSEC-2026-0002 ignore by ajsutton · Pull Request #19598 · ethereum-optimism/optimism

ajsutton · 2026-03-17T10:20:51Z

Summary

Remove the RUSTSEC-2026-0002 ignore entry from rust/deny.toml — the advisory no longer matches any crate in the dependency tree, causing cargo-deny to fail with "advisory was not encountered".
The vulnerable lru versions (0.9.0–0.16.2) have been patched; lru 0.16.3 is already in Cargo.lock.
This unblocks rust-deny CI for all open PRs (e.g. fix: correct cd paths in kona action test recipes #19597).

Test plan

rust-deny CI job passes on this PR

🤖 Generated with Claude Code

The lru crate advisory (RUSTSEC-2026-0002) no longer matches any crate in the dependency tree, causing cargo-deny to fail with "advisory was not encountered". The vulnerable lru versions (0.9.0–0.16.2) have been patched — lru 0.16.3 is already in Cargo.lock. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

codecov · 2026-03-17T10:56:18Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.5%. Comparing base (ba64213) to head (27653a2).
⚠️ Report is 1 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #19598      +/-   ##
===========================================
  Coverage     75.5%    75.5%              
===========================================
  Files          675      481     -194     
  Lines        71562    60286   -11276     
===========================================
- Hits         54071    45566    -8505     
+ Misses       17347    14720    -2627     
+ Partials       144        0     -144

Flag	Coverage Δ
cannon-go-tests-64	`?`
contracts-bedrock-tests	`?`
unit	`75.5% <ø> (-0.1%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 199 files with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

lz4_flex 0.12.0 suffers from RUSTSEC-2026-0041 https://rustsec.org/advisories/RUSTSEC-2026-0041

wiz-inc-a178a98b5d · 2026-03-17T13:04:11Z

Wiz Scan Summary

Scanner	Findings
Vulnerabilities	7 1 2
Sensitive Data	-
Secrets	-
IaC Misconfigurations	-
SAST Findings	-
Software Management Findings	-

Total	7 1 2

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

wwared

Updated lz4_flex due to the following cargo-deny error:

├ ID: RUSTSEC-2026-0041
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0041
├ Decompressing invalid LZ4 data with the block API can leak data from uninitialized memory, or leak content from previous decompression operations when reusing an output buffer.

…#19598) * chore(rust): remove stale RUSTSEC-2026-0002 ignore from deny.toml The lru crate advisory (RUSTSEC-2026-0002) no longer matches any crate in the dependency tree, causing cargo-deny to fail with "advisory was not encountered". The vulnerable lru versions (0.9.0–0.16.2) have been patched — lru 0.16.3 is already in Cargo.lock. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: Update lz4_flex to 0.12.1 lz4_flex 0.12.0 suffers from RUSTSEC-2026-0041 https://rustsec.org/advisories/RUSTSEC-2026-0041 --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: wwared <541936+wwared@users.noreply.github.com>

ajsutton requested a review from a team as a code owner March 17, 2026 10:20

ajsutton requested a review from theochap March 17, 2026 10:21

chore: Update lz4_flex to 0.12.1

27653a2

lz4_flex 0.12.0 suffers from RUSTSEC-2026-0041 https://rustsec.org/advisories/RUSTSEC-2026-0041

wwared approved these changes Mar 17, 2026

View reviewed changes

wwared enabled auto-merge March 17, 2026 13:22

wwared added this pull request to the merge queue Mar 17, 2026

wwared removed this pull request from the merge queue due to a manual request Mar 17, 2026

wwared added this pull request to the merge queue Mar 17, 2026

github-merge-queue bot removed this pull request from the merge queue due to no response for status checks Mar 17, 2026

wwared added this pull request to the merge queue Mar 17, 2026

wwared removed this pull request from the merge queue due to a manual request Mar 17, 2026

wwared added this pull request to the merge queue Mar 17, 2026

Merged via the queue into develop with commit 9cb57b0 Mar 17, 2026
280 checks passed

wwared deleted the aj/chore/remove-stale-rustsec-ignore branch March 17, 2026 16:04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(rust): remove stale RUSTSEC-2026-0002 ignore#19598

chore(rust): remove stale RUSTSEC-2026-0002 ignore#19598
wwared merged 2 commits intodevelopfrom
aj/chore/remove-stale-rustsec-ignore

ajsutton commented Mar 17, 2026

Uh oh!

codecov bot commented Mar 17, 2026 •

edited

Loading

Uh oh!

wiz-inc-a178a98b5d bot commented Mar 17, 2026

Uh oh!

wwared left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

ajsutton commented Mar 17, 2026

Summary

Test plan

Uh oh!

codecov bot commented Mar 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

wiz-inc-a178a98b5d bot commented Mar 17, 2026

Wiz Scan Summary

Uh oh!

wwared left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

codecov bot commented Mar 17, 2026 •

edited

Loading