Skip to content

fix(ci): trust epage for toml_edit and toml_writer in cargo vet#680

Merged
BryanFRD merged 1 commit into
mainfrom
fix/vet-trust-epage
Jul 15, 2026
Merged

fix(ci): trust epage for toml_edit and toml_writer in cargo vet#680
BryanFRD merged 1 commit into
mainfrom
fix/vet-trust-epage

Conversation

@BryanFRD

Copy link
Copy Markdown
Contributor

Closes #679. main is red right now — this is the fix.

#675 bumped toml_edit to 0.25.13 at 14:53 and cargo vet rejected the unaudited diff, exiting 255. Everything merged since inherits it: #676 and #678 both show Cargo Security failing and neither touches Rust dependencies.

Our exemptions are pinned per version:

[[exemptions.toml_edit]]
version = "0.25.12+spec-1.1.0"

So every bump re-breaks the build and needs a hand-edit that Renovate cannot make — the same shape as the minimumReleaseAge treadmill: the only PRs needing the exemption are the ones that can't add it.

cargo vet trust records the publisher instead of the version, so future bumps are covered. Both crates are published by Ed Page (epage), whom mozilla and bytecode-alliance — the two audit sets we already import — both trust; cargo vet suggests this itself in the error. Trusted per crate rather than --all epage, so it stays scoped to what we actually depend on.

Drops the two now-redundant exemptions as a side effect. cargo vet passes locally on 0.10.0, the version CI installs: Vetting Succeeded (23 fully audited, 1 partially audited, 286 exempted).

@BryanFRD BryanFRD enabled auto-merge (squash) July 15, 2026 18:23
@BryanFRD BryanFRD merged commit 67ed57a into main Jul 15, 2026
39 checks passed
@BryanFRD BryanFRD deleted the fix/vet-trust-epage branch July 15, 2026 18:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

cargo vet fails main on every toml_edit bump

1 participant