From 025d45a5913d650605406f2a3a11d874315544a1 Mon Sep 17 00:00:00 2001 From: Stefan Steiner Date: Thu, 14 May 2026 10:56:15 -0700 Subject: [PATCH 1/2] docs(security): note CVE-2026-43868 in thrift Rust crate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit GitHub Dependabot flagged the Apache Thrift "Memory Allocation with Excessive Size Value" advisory (CVE-2026-43868 / GHSA-2f9f-gq7v-9h6m), which lists the Rust `thrift` crate ≤ 0.22.0 as affected. We can't actually fix it: the latest published version on crates.io is 0.17.0 (from Nov 2022), and Apache Thrift's "0.23.0 fix" is in the C++/Java/Python bindings only — no patched Rust crate has been published. We pull thrift transitively via `parquet` in hyperdb-mcp (parquet metadata parsing of operator-supplied local files). Add forward-looking comments to deny.toml and .cargo/audit.toml so a future maintainer sees the situation. No waiver yet — RustSec hasn't issued a RUSTSEC-2026-NNNN ID, so cargo-audit / cargo-deny aren't failing on it. The comments document what to do when the ID lands. --- .cargo/audit.toml | 8 ++++++++ deny.toml | 11 +++++++++++ 2 files changed, 19 insertions(+) diff --git a/.cargo/audit.toml b/.cargo/audit.toml index 20bc935..9afa0cf 100644 --- a/.cargo/audit.toml +++ b/.cargo/audit.toml @@ -16,3 +16,11 @@ ignore = [ # observable to a remote attacker. Threat model does not apply. "RUSTSEC-2023-0071", ] + +# Forward-looking note (no waiver yet — RustSec hasn't issued an ID): +# CVE-2026-43868 / GHSA-2f9f-gq7v-9h6m affects the `thrift` Rust crate +# (≤ 0.22.0). Latest published is 0.17.0; Apache Thrift hasn't released +# a fixed Rust crate (the "0.23.0 fix" is in C++/Java/Python only). We +# pull thrift transitively via `parquet` in hyperdb-mcp. When RustSec +# assigns a `RUSTSEC-2026-NNNN` ID, add it to the ignore list above +# with the matching entry in deny.toml. diff --git a/deny.toml b/deny.toml index 8c6bb93..873b8f3 100644 --- a/deny.toml +++ b/deny.toml @@ -69,6 +69,17 @@ ignore = [ { id = "RUSTSEC-2023-0071", reason = "rsa used only for outbound JWT signing where Marvin Attack threat model does not apply" }, ] +# Forward-looking note (no waiver yet — RustSec hasn't issued an ID): +# CVE-2026-43868 / GHSA-2f9f-gq7v-9h6m affects the `thrift` Rust crate +# (≤ 0.22.0). The latest published version on crates.io is 0.17.0 — Apache +# Thrift has not released a fixed Rust crate (the project's "0.23.0 fix" +# is in C++/Java/Python only). We pull `thrift` transitively via `parquet` +# in hyperdb-mcp (parquet metadata parsing only — used against operator- +# supplied local files via `load_file`/`query_file`/`export`). When +# RustSec assigns a `RUSTSEC-2026-NNNN` ID, add it to the ignore list +# above with rationale: "thrift transitively via parquet; no fix +# available on crates.io; operator-controlled inputs only." + # ------------------------------------------------------------------------- # Banned / duplicate crates # ------------------------------------------------------------------------- From c04f07dccdb3be570dc776c02e9bb3d18a35f7aa Mon Sep 17 00:00:00 2001 From: Stefan Steiner Date: Thu, 14 May 2026 11:11:41 -0700 Subject: [PATCH 2/2] ci: skip CI for docs-only changes via paths-ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pure-prose changes (top-level *.md, docs/**, LICENSE files, GitHub issue/PR templates) don't affect Rust compilation, lint output, advisory checks, or the publish dry-run. Add paths-ignore to ci.yml push and pull_request triggers so docs-only PRs don't burn CI minutes. Deliberately excluded from the ignore list: - deny.toml and .cargo/audit.toml — these configure the security checks themselves; a typo would silently disable them. - .github/workflows/** — workflow edits should run CI. - examples/**.rs — these are Rust source compiled by cargo build --examples and validated as part of the test job. GitHub Actions doesn't reliably support YAML anchors, so the same list is duplicated under push and pull_request — keep them in sync. Mixed PRs (docs + code) still trigger CI because paths-ignore only suppresses the workflow when ALL changed files match. --- .github/workflows/ci.yml | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0509dfc..189b54e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,9 +5,29 @@ name: ci # HEADs the pinned release's URLs. on: + # Pure-prose changes don't affect Rust compilation, lint output, + # advisory checks, or the publish dry-run. The paths-ignore lists + # below skip CI on docs-only PRs to avoid burning CI minutes. Note: + # `deny.toml` and `.cargo/audit.toml` are deliberately NOT in the + # ignore list — those files configure the security checks themselves + # and a typo would silently disable them. Keep the two lists in sync. push: branches: [main] - pull_request: {} + paths-ignore: + - "**/*.md" + - "docs/**" + - "LICENSE-*" + - "NOTICE" + - ".github/ISSUE_TEMPLATE/**" + - ".github/pull_request_template.md" + pull_request: + paths-ignore: + - "**/*.md" + - "docs/**" + - "LICENSE-*" + - "NOTICE" + - ".github/ISSUE_TEMPLATE/**" + - ".github/pull_request_template.md" workflow_dispatch: {} # Cancel a PR's in-progress CI runs when a new push lands on the PR.