Tracking follow-up from a security-dependency audit of the workspace (a branch with the fixable bump — crossbeam-epoch RUSTSEC-2026-0204 — plus documented ignores is ready and will arrive as a PR).
The advisories: RUSTSEC-2026-0195 / RUSTSEC-2026-0194 (quick-xml 0.26.0, DoS-class, severity 7.5) flag on cargo audit.
Why a version bump can't fix it today (verified by live dependency resolution, not just lockfile reading):
quick-xml 0.26.0 <- inferno 0.11.21 <- pprof 0.13 <- ruvector-bench (optional, behind the `profiling` feature)
- pprof 0.15.0 (its newest release) still requires
inferno = "^0.11"
- inferno 0.11.21 (its newest 0.11 patch) still requires
quick-xml = "^0.26"
So the vulnerable pin is upstream of this repo on every current release. Current quick-xml releases are unaffected; the chain just can't reach them yet.
Mitigating context: the exposure is dev-tooling only — pprof is optional and only enabled via ruvector-bench's profiling feature, so no default or production build ships the vulnerable code path.
Alternatives worth considering (any one of these clears the advisory rather than ignoring it):
- Drop in-process flamegraph rendering: use pprof's
protobuf output feature instead of flamegraph, and render externally (go tool pprof, speedscope). Removes inferno → quick-xml entirely; keeps criterion integration.
- External profiler workflow:
samply or cargo flamegraph as documented dev tools outside the dependency graph — zero workspace deps, same artifact.
- Upstream nudge: an issue on inferno asking for a quick-xml major bump would fix the whole ecosystem's chain; pprof would follow.
- Status quo + documented ignore (what the audit branch does meanwhile): keeps
cargo audit/cargo deny green with an explicit rationale entry rather than a silent red.
Happy to send the PR for option 1 or 2 if either fits how you actually use the profiling feature.
Tracking follow-up from a security-dependency audit of the workspace (a branch with the fixable bump — crossbeam-epoch RUSTSEC-2026-0204 — plus documented ignores is ready and will arrive as a PR).
The advisories: RUSTSEC-2026-0195 / RUSTSEC-2026-0194 (quick-xml 0.26.0, DoS-class, severity 7.5) flag on
cargo audit.Why a version bump can't fix it today (verified by live dependency resolution, not just lockfile reading):
inferno = "^0.11"quick-xml = "^0.26"So the vulnerable pin is upstream of this repo on every current release. Current quick-xml releases are unaffected; the chain just can't reach them yet.
Mitigating context: the exposure is dev-tooling only —
pprofis optional and only enabled viaruvector-bench'sprofilingfeature, so no default or production build ships the vulnerable code path.Alternatives worth considering (any one of these clears the advisory rather than ignoring it):
protobufoutput feature instead offlamegraph, and render externally (go tool pprof, speedscope). Removes inferno → quick-xml entirely; keeps criterion integration.samplyorcargo flamegraphas documented dev tools outside the dependency graph — zero workspace deps, same artifact.cargo audit/cargo denygreen with an explicit rationale entry rather than a silent red.Happy to send the PR for option 1 or 2 if either fits how you actually use the profiling feature.