From 923ca8e4489c318ab7417b3be85c87c7fe31079b Mon Sep 17 00:00:00 2001
From: Noah <noahskusaba@gmail.com>
Date: Sat, 13 Jun 2026 00:22:01 -0400
Subject: [PATCH] chore(ci): ignore pyo3 RUSTSEC-2026-0176 and -0177 in audit

These two advisories affect pyo3 < 0.29. pyo3 is pulled only transitively
through arrow's `pyarrow` feature (arrow-pyarrow), whose latest release
still pins pyo3 ^0.28, so no dependency upgrade can clear them yet. Ignore
them, matching how the existing transitive advisories are handled, until
arrow-pyarrow moves to pyo3 >=0.29.
---
 .cargo/audit.toml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.cargo/audit.toml b/.cargo/audit.toml
index 9655202e3f..3dd12fd477 100644
--- a/.cargo/audit.toml
+++ b/.cargo/audit.toml
@@ -43,4 +43,13 @@ ignore = [
   # Direct dependency upgraded to 0.9.3+. Transitive rand 0.8.5 remains
   # from reqsign/sqllogictest/rustc-hash — no 0.8.x patch exists.
   "RUSTSEC-2026-0097",
+  # pyo3 < 0.29: out-of-bounds read in PyList/PyTuple `nth`/`nth_back`, and
+  # missing `Sync` bound on `PyCFunction::new_closure` closures.
+  #
+  # Pulled only transitively through arrow's `pyarrow` feature
+  # (arrow-pyarrow), which still pins pyo3 ^0.28 in its latest release; no
+  # arrow build supports the patched pyo3 0.29 yet. Remove once arrow-pyarrow
+  # moves to pyo3 >=0.29.
+  "RUSTSEC-2026-0176",
+  "RUSTSEC-2026-0177",
 ]