Summary
Both cargo audit and npm audit are failing in CI with real vulnerabilities in the dependency tree. These block all PRs from passing CI.
cargo audit failures (5 vulnerabilities)
| ID |
Severity |
Crate |
Solution |
| RUSTSEC-2023-0071 |
5.9 (medium) |
openssl-src |
No fix available |
| RUSTSEC-2026-0104 |
- |
rustls-webpki |
Upgrade to >=0.103.13 |
| RUSTSEC-2026-0099 |
- |
rustls-webpki |
Upgrade to >=0.103.12 |
| RUSTSEC-2026-0098 |
- |
rustls-webpki |
Upgrade to >=0.103.12 |
| RUSTSEC-2024-0363 |
- |
atk-sys |
Upgrade to >=0.8.1 |
npm audit failures
DOMPurify contains a Cross-site Scripting vulnerability (GHSA-v2wj-7wpq-c8vv) - 1 high severity advisory. Plus 4 other low/moderate advisories.
Next steps
- Run
cargo update to try resolving the Rust advisories where fixes exist
- Run
npm audit fix for the npm vulnerabilities
- For unfixable advisories (like RUSTSEC-2023-0071/openssl-src), consider adding an
[advisories] ignore section to .cargo/audit.toml
Summary
Both
cargo auditandnpm auditare failing in CI with real vulnerabilities in the dependency tree. These block all PRs from passing CI.cargo audit failures (5 vulnerabilities)
npm audit failures
DOMPurify contains a Cross-site Scripting vulnerability (GHSA-v2wj-7wpq-c8vv) - 1 high severity advisory. Plus 4 other low/moderate advisories.
Next steps
cargo updateto try resolving the Rust advisories where fixes existnpm audit fixfor the npm vulnerabilities[advisories]ignore section to.cargo/audit.toml