alamb opened a new pull request, #23607:
URL: https://github.com/apache/datafusion/pull/23607

   ## Which issue does this PR close?
   
   - Part of #22547 (54.1.0 release)
   
   ## Rationale for this change
   
   `cargo audit` is failing on `branch-54` with 7 vulnerabilities across 5 
crates:
   
   - `crossbeam-epoch` 0.9.18: 
[RUSTSEC-2026-0204](https://rustsec.org/advisories/RUSTSEC-2026-0204)
   - `postgres-protocol` 0.6.11: 
[RUSTSEC-2026-0179](https://rustsec.org/advisories/RUSTSEC-2026-0179) (high), 
[RUSTSEC-2026-0180](https://rustsec.org/advisories/RUSTSEC-2026-0180)
   - `quinn-proto` 0.11.14: 
[RUSTSEC-2026-0185](https://rustsec.org/advisories/RUSTSEC-2026-0185) (high)
   - `tokio-postgres` 0.7.17: 
[RUSTSEC-2026-0178](https://rustsec.org/advisories/RUSTSEC-2026-0178)
   - `quick-xml` 0.39.2: 
[RUSTSEC-2026-0194](https://rustsec.org/advisories/RUSTSEC-2026-0194) (high), 
[RUSTSEC-2026-0195](https://rustsec.org/advisories/RUSTSEC-2026-0195) (high)
   
   This follows the model of similar fixes on earlier maintenance branches:
   - https://github.com/apache/datafusion/pull/21415 (branch-52)
   - https://github.com/apache/datafusion/pull/21587 (branch-53)
   
   ## What changes are included in this PR?
   
   - `cargo update` for `crossbeam-epoch`, `postgres-protocol`, `quinn-proto`, 
and `tokio-postgres` (plus its `postgres-types` / `postgres-derive` 
co-dependencies) to the patched versions (`Cargo.lock` only)
   - Add `--ignore RUSTSEC-2026-0194 --ignore RUSTSEC-2026-0195` to the audit 
CI job for the two `quick-xml` advisories. The fix requires `quick-xml` 0.41, 
which is only used by `object_store` 0.14 — a breaking upgrade that can not be 
backported to this maintenance branch (`branch-54` pins `object_store` 0.13). 
Note that `main` currently fails `cargo audit` for the same two advisories.
   
   ## Are these changes tested?
   
   Yes, by CI. `cargo audit` now passes locally with the ignore flags (only 
allowed warnings remain).
   
   ## Are there any user-facing changes?
   
   No, dependency version bumps in `Cargo.lock` and a CI change only.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to