From fdce00826ffeb1fac6363872021d7be96b6afd45 Mon Sep 17 00:00:00 2001
From: jdx <216188+jdx@users.noreply.github.com>
Date: Mon, 23 Mar 2026 11:23:45 +0000
Subject: [PATCH] chore(deps): ignore RUSTSEC-2026-0066 astral-tokio-tar
 advisory

astral-tokio-tar 0.5.6 has insufficient PAX extension validation
(fix requires >=0.6.0). This is a transitive dependency via
rattler_package_streaming 0.24 which pins to 0.5.x.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 deny.toml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/deny.toml b/deny.toml
index 3831012ae8..6c418c472f 100644
--- a/deny.toml
+++ b/deny.toml
@@ -75,6 +75,7 @@ ignore = [
   { id = "RUSTSEC-2023-0071", reason = "rsa crate Marvin attack vulnerability from sigstore crate - no safe upgrade available" },
   { id = "RUSTSEC-2025-0119", reason = "number_prefix crate is unmaintained - used by indicatif/self_update, no safe upgrade available" },
   { id = "RUSTSEC-2026-0049", reason = "rustls-webpki 0.101.7 via rustls 0.21 in aws-smithy-http-client - no safe upgrade available" },
+  { id = "RUSTSEC-2026-0066", reason = "astral-tokio-tar 0.5.6 PAX extension validation - transitive dep via rattler_package_streaming, no safe upgrade available" },
   #"RUSTSEC-0000-0000",
   #{ id = "RUSTSEC-0000-0000", reason = "you can specify a reason the advisory is ignored" },
   #"a-crate-that-is-yanked@0.1.1", # you can also ignore yanked crate versions if you wish