Companion tracking follow-up from the same security-dependency audit (see the quick-xml issue).
The advisory: RUSTSEC-2026-0192 — ttf-parser is unmaintained. Not a vulnerability; an ecosystem-risk flag. It fails the cargo deny advisories check.
Why no version bump fixes it: no fixed version exists (the crate is unmaintained at every version), and it enters the tree at two points:
ttf-parser (0.15.2 / 0.20.0 / 0.25.1) <- plotters 0.3.7 <- criterion, ruvector-bench, ruvector-benchmarks
ttf-parser <- owned_ttf_parser (ab_glyph font stack)
Note the trap we hit while checking alternatives: switching plotters' font backend to ab_glyph does NOT remove ttf-parser — ab_glyph depends on owned_ttf_parser, which wraps the same crate. Most of the Rust font-parsing ecosystem currently sits on ttf-parser, which is also why "unmaintained" here is lower-risk than it sounds: it is extremely widely deployed and font parsing here only ever touches trusted, locally-bundled fonts in benchmark plot rendering.
Alternatives worth considering:
- Trim where it comes from: criterion pulls plotters only for HTML reports — if those aren't used in CI,
default-features = false on criterion (keeping cargo_bench_support) drops one entry path. The direct plotters deps in the two bench crates would need the same font-free configuration or a text-free backend.
- Plot outside the graph: emit CSV/JSON from benches and render with external tooling; removes plotters (and the entire font stack) from the workspace.
- Accept + monitor (what the audit branch documents meanwhile): a
deny.toml ignore with rationale, revisited if the advisory ever escalates from unmaintained to vulnerable, or if plotters moves off ttf-parser upstream.
Given the trusted-input usage, option 3 is defensible long-term; filing this so the ignore entry has a visible home rather than being silent configuration.
Companion tracking follow-up from the same security-dependency audit (see the quick-xml issue).
The advisory: RUSTSEC-2026-0192 —
ttf-parseris unmaintained. Not a vulnerability; an ecosystem-risk flag. It fails thecargo denyadvisories check.Why no version bump fixes it: no fixed version exists (the crate is unmaintained at every version), and it enters the tree at two points:
Note the trap we hit while checking alternatives: switching plotters' font backend to
ab_glyphdoes NOT remove ttf-parser —ab_glyphdepends onowned_ttf_parser, which wraps the same crate. Most of the Rust font-parsing ecosystem currently sits on ttf-parser, which is also why "unmaintained" here is lower-risk than it sounds: it is extremely widely deployed and font parsing here only ever touches trusted, locally-bundled fonts in benchmark plot rendering.Alternatives worth considering:
default-features = falseon criterion (keepingcargo_bench_support) drops one entry path. The direct plotters deps in the two bench crates would need the same font-free configuration or a text-free backend.deny.tomlignore with rationale, revisited if the advisory ever escalates from unmaintained to vulnerable, or if plotters moves off ttf-parser upstream.Given the trusted-input usage, option 3 is defensible long-term; filing this so the ignore entry has a visible home rather than being silent configuration.