Skip to content

deps: quick-xml DoS advisories (RUSTSEC-2026-0195/-0194) unfixable by version bump — alternative profiling-dependency options #680

Description

@ohdearquant

Tracking follow-up from a security-dependency audit of the workspace (a branch with the fixable bump — crossbeam-epoch RUSTSEC-2026-0204 — plus documented ignores is ready and will arrive as a PR).

The advisories: RUSTSEC-2026-0195 / RUSTSEC-2026-0194 (quick-xml 0.26.0, DoS-class, severity 7.5) flag on cargo audit.

Why a version bump can't fix it today (verified by live dependency resolution, not just lockfile reading):

quick-xml 0.26.0  <-  inferno 0.11.21  <-  pprof 0.13  <-  ruvector-bench (optional, behind the `profiling` feature)
  • pprof 0.15.0 (its newest release) still requires inferno = "^0.11"
  • inferno 0.11.21 (its newest 0.11 patch) still requires quick-xml = "^0.26"

So the vulnerable pin is upstream of this repo on every current release. Current quick-xml releases are unaffected; the chain just can't reach them yet.

Mitigating context: the exposure is dev-tooling only — pprof is optional and only enabled via ruvector-bench's profiling feature, so no default or production build ships the vulnerable code path.

Alternatives worth considering (any one of these clears the advisory rather than ignoring it):

  1. Drop in-process flamegraph rendering: use pprof's protobuf output feature instead of flamegraph, and render externally (go tool pprof, speedscope). Removes inferno → quick-xml entirely; keeps criterion integration.
  2. External profiler workflow: samply or cargo flamegraph as documented dev tools outside the dependency graph — zero workspace deps, same artifact.
  3. Upstream nudge: an issue on inferno asking for a quick-xml major bump would fix the whole ecosystem's chain; pprof would follow.
  4. Status quo + documented ignore (what the audit branch does meanwhile): keeps cargo audit/cargo deny green with an explicit rationale entry rather than a silent red.

Happy to send the PR for option 1 or 2 if either fits how you actually use the profiling feature.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions