Cargo Security has been failing on main since #675 (Renovate, toml_edit 0.25.12 -> 0.25.13) merged at 14:53:
cargo vet diff toml_edit 0.25.12+spec-1.1.0 0.25.13+spec-1.1.0
NOTE: mozilla and bytecode-alliance trust Ed Page (epage) - consider cargo vet trust toml_edit epage
cargo vet diff toml_writer 1.1.1+spec-1.1.0 1.1.2+spec-1.1.0
estimated audit backlog: 59 lines
The bumps are unaudited, so cargo vet refuses them and the job exits 255. Every commit landing on main since then inherits the red — #676 and #678 both show it and neither has anything to do with it.
The exemptions in config.toml are pinned per version, so each toml_edit bump re-breaks this and needs a hand-edit. Renovate can't do that, so the treadmill runs forever.
Both crates are published by Ed Page (epage), whom mozilla and bytecode-alliance — the two audit sets we already import — both trust. cargo vet trust records the publisher once and covers future versions, which is what the tool suggests in its own error message.
Cargo Securityhas been failing onmainsince #675 (Renovate,toml_edit0.25.12 -> 0.25.13) merged at 14:53:The bumps are unaudited, so
cargo vetrefuses them and the job exits 255. Every commit landing onmainsince then inherits the red — #676 and #678 both show it and neither has anything to do with it.The exemptions in
config.tomlare pinned per version, so eachtoml_editbump re-breaks this and needs a hand-edit. Renovate can't do that, so the treadmill runs forever.Both crates are published by Ed Page (epage), whom mozilla and bytecode-alliance — the two audit sets we already import — both trust.
cargo vet trustrecords the publisher once and covers future versions, which is what the tool suggests in its own error message.