chore(deps): waive RUSTSEC-2026-0192 (ttf-parser unmaintained)#175
Merged
StefanSteiner merged 1 commit intoJun 30, 2026
Merged
Conversation
ttf-parser is flagged unmaintained (informational, no patched version). It is pulled in only transitively via plotters' chart-rendering font backend; we never call it directly, so there is no runtime risk. Both of plotters' font backends (ttf, ab_glyph) terminate at ttf-parser, so the advisory cannot be cleared by a version bump. Mirror the waiver in deny.toml and .cargo/audit.toml, matching the existing 'paste' unmaintained precedent. Tracking upstream at plotters-rs/plotters#736; drop this waiver once plotters migrates its font stack (e.g. to skrifa).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Waive
RUSTSEC-2026-0192(ttf-parserunmaintained) in bothdeny.tomland.cargo/audit.toml, so thecargo-denyCI job goes green again.Why
ttf-parserwas flagged unmaintained on 2026-06-28. The advisory isinformational (the author has stepped away), not a vulnerability, and it has
no patched version, so it applies to every release of the crate.
ttf-parseris not a direct dependency and is never called from our code.It comes in transitively only through
plotters, which we use inhyperdb-mcpfor server-side PNG/SVG chart rendering:
A literal "switch to skrifa" isn't possible:
plottershas no skrifa backend,and both of its font paths terminate at
ttf-parser(thettfdefault viafont-kit, and theab_glyphfeature viaab_glyph -> owned_ttf_parser -> ttf-parser). A version bump can't clear it either, since the advisory coversall versions.
Given there's no runtime risk in our usage (rasterizing chart text from
operator-supplied query results), waiving it is the right call for now. This
mirrors the existing
pasteunmaintained waiver already indeny.toml.Upstream tracking
Commented on the active plotters refactor that moves its font stack to
harfrust/skrifa/zeno: plotters-rs/plotters#736. The waiver comments inboth config files reference that issue. We'll drop the waiver once a plotters
release lands that retires the
ttf-parserpath.Verification
cargo deny check advisories->advisories okcargo audit-> noRUSTSEC-2026-0192cargo test -p hyperdb-mcp --test chart_tests-> 37/37 pass (no regression)