Skip to content

update: clean cargo-audit by removing atty and pinning rsa advisory#198

Merged
inureyes merged 1 commit intomainfrom
update/security-audit-cleanup
May 11, 2026
Merged

update: clean cargo-audit by removing atty and pinning rsa advisory#198
inureyes merged 1 commit intomainfrom
update/security-audit-cleanup

Conversation

@inureyes
Copy link
Copy Markdown
Member

@inureyes inureyes commented May 11, 2026

Summary

Resolves all cargo-audit findings reported on deps.rs so the audit job returns a clean tree (0 vulnerabilities / 0 warnings).

Changes

1. Replace unmaintained atty with std::io::IsTerminal

  • Drops two advisories at once:
    • RUSTSEC-2024-0375atty is unmaintained
    • RUSTSEC-2021-0145atty potential unaligned read (unsound)
  • Five call sites migrated to std::io::{stdin, stdout}().is_terminal() in:
    • src/pty/mod.rs
    • src/utils/logging.rs
    • src/ssh/auth.rs
    • src/commands/interactive/connection.rs
  • atty = "0.2.14" removed from Cargo.toml.

2. Transitive patch bumps via cargo update

33 packages updated within existing semver constraints. Highlights:

Crate Before After
tokio 1.52.1 1.52.3
rustls 0.23.39 0.23.40
h2 0.4.13 0.4.14
digest 0.11.2 0.11.3
rpassword 7.4.0 7.5.2
tonic 0.14.5 0.14.6
whoami 2.1.1 2.1.2

3. Document RUSTSEC-2023-0071 (Marvin Attack) in .cargo/audit.toml

The Marvin Attack timing sidechannel affects:

  • rsa 0.9.10 (via ssh-key 0.6.x)
  • rsa 0.10.0-rc.17 (via the vendored bssh-russh fork)

No fixed upstream release exists for any version of the rsa crate. Bumping to 0.10.0-rc.18 conflicts with bssh-russh's pkcs5 = "=0.8.0-rc.13" pin. The advisory is accepted at the audit layer with a comment recommending Ed25519/ECDSA keys as the practical mitigation; tracking RustCrypto/RSA#19.

What deps.rs flagged but was a false positive

Crate Reported advisory Status
chrono 0.4.44 RUSTSEC-2020-0159 affects <0.4.20; current version unaffected
tokio 1.52.x RUSTSEC-2023-0001 affects <1.18.5 / other old branches; current unaffected
bytes 1.11.1 RUSTSEC-2026-0007 not present in cargo-audit's advisory DB; out of scope

Test plan

  • cargo fmt --check clean
  • cargo clippy -- -D warnings clean
  • cargo test --lib — 1222 passed / 0 failed
  • cargo audit — 0 vulnerabilities, 0 warnings

@inureyes
update: clean cargo-audit by removing atty and pinning rsa advisory
59fd45c 
Resolves all cargo-audit findings reported on deps.rs.

Replace the unmaintained `atty` crate with `std::io::IsTerminal` (stdlib since Rust 1.70). This drops two advisories at once: RUSTSEC-2024-0375 (unmaintained) and RUSTSEC-2021-0145 (unsound unaligned read). The five call sites in pty, logging, ssh::auth, and the interactive connection now go through `std::io::{stdin, stdout}().is_terminal()`.

Run `cargo update` to pick up 33 transitive patch bumps available within current semver constraints (tokio 1.52.1 -> 1.52.3, rustls 0.23.39 -> 0.23.40, h2 0.4.13 -> 0.4.14, digest 0.11.2 -> 0.11.3, rpassword 7.4.0 -> 7.5.2, and others). The Cargo.lock churn is mostly transitive; no direct `[dependencies]` constraints needed loosening except the atty removal.

Add `.cargo/audit.toml` ignoring RUSTSEC-2023-0071 (Marvin Attack) with an explanatory comment. Both `rsa 0.9.10` (via ssh-key 0.6.x) and `rsa 0.10.0-rc.17` (via the vendored bssh-russh fork) are affected, and no fixed upstream version exists for any rsa release. Bumping to 0.10.0-rc.18 conflicts with the bssh-russh `pkcs5 = "=0.8.0-rc.13"` pin, so we accept the advisory at the audit layer and document Ed25519/ECDSA as the recommended mitigation for users.

Verified: `cargo audit` reports 0 vulnerabilities / 0 warnings, `cargo clippy -- -D warnings` is clean, `cargo test --lib` passes (1222/1222), `cargo fmt --check` is clean.
@inureyes inureyes added status:review Under review priority:medium Medium priority issue type:security Security vulnerability or fix type:dependency Dependency updates labels May 11, 2026
@inureyes inureyes merged commit 3e005d6 into main May 11, 2026
2 checks passed
@inureyes inureyes deleted the update/security-audit-cleanup branch May 11, 2026 06:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

priority:medium Medium priority issue status:review Under review type:dependency Dependency updates type:security Security vulnerability or fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@inureyes