Summary
There is no deny.toml, .cargo/audit.toml, or any reference to cargo-deny or cargo-audit in the repository. This means there is no automated supply-chain vulnerability checking against the RustSec advisory database for the ~300+ transitive dependencies in Cargo.lock.
Additionally, the project uses serde_yaml 0.9.34+deprecated which depends on unsafe-libyaml (a Rust FFI binding around libyaml's C code). The serde_yaml crate is marked as deprecated by its author.
Impact
- Severity: Medium
- Known CVEs in transitive dependencies would go undetected.
- The deprecated
serde_yaml crate will not receive security updates.
Proposed Fix
- Add
cargo-deny with an [advisories] section to CI
- Configure
[bans] to flag deprecated crates
- Migrate from
serde_yaml to a maintained alternative (e.g., serde_yml)
Summary
There is no
deny.toml,.cargo/audit.toml, or any reference tocargo-denyorcargo-auditin the repository. This means there is no automated supply-chain vulnerability checking against the RustSec advisory database for the ~300+ transitive dependencies inCargo.lock.Additionally, the project uses
serde_yaml 0.9.34+deprecatedwhich depends onunsafe-libyaml(a Rust FFI binding around libyaml's C code). Theserde_yamlcrate is marked as deprecated by its author.Impact
serde_yamlcrate will not receive security updates.Proposed Fix
cargo-denywith an[advisories]section to CI[bans]to flag deprecated cratesserde_yamlto a maintained alternative (e.g.,serde_yml)