Merge branch 'ignore-atty-vuln'

mullvad · Nov 24, 2022 · dc1a1a9 · dc1a1a9
2 parents 865f896 + bcb4d1d
commit dc1a1a9
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/.github/workflows/cargo-audit.yml b/.github/workflows/cargo-audit.yml
@@ -26,6 +26,11 @@ jobs:
                   version: latest
 
             - name: Audit
-              # TEMP: Ignore the time segfault CVE since there are no known
+              # RUSTSEC-2020-0071: Ignore the time segfault CVE since there are no known
               # good workarounds, and we want logs etc to be in local time.
-              run: cargo audit --ignore RUSTSEC-2020-0071
+              # RUSTSEC-2021-0145: The vulnerability affects custom global allocators,
+              # so it should be safe to ignore it. Stop ignoring the warning once
+              # atty has been replaced in clap and env_logger:
+              # https://github.com/clap-rs/clap/pull/4249
+              # https://github.com/rust-cli/env_logger/pull/246
+              run: cargo audit --ignore RUSTSEC-2020-0071 --ignore RUSTSEC-2021-0145