Goal
Modernize the Helios light-client dependency stack so we can remove the transitive advisory ignores from deny.toml at the source, instead of carrying them.
This is the one remaining piece of the supply-chain hardening from #40 (the cargo-deny gates themselves are now blocking and green — see #41/#42/#43). It's split out here because it's a self-contained upstream-dependency bump, well-scoped for someone to pick up and take to Helios upstream.
The ignores we want to delete
These live in deny.toml (currently lines ~26–38) and all ride the Helios → jsonrpsee 0.19 → rustls 0.21 → rustls-webpki 0.101 stack (plus reqwest's resolver for the DNS pair):
rustls-webpki 0.101 — TLS path-validation
- RUSTSEC-2026-0098 — URI name-constraint bypass
- RUSTSEC-2026-0099 — wildcard-cert name-constraint bypass
- RUSTSEC-2026-0104 — reachable panic in CRL parsing (we don't use CRLs)
hickory DNS — DoS (via reqwest resolver)
- RUSTSEC-2026-0118 — NSEC3 closest-encloser unbounded loop
- RUSTSEC-2026-0119 — O(n²) name-compression CPU exhaustion
rustls-pemfile
- RUSTSEC-2025-0134 — unmaintained
Why the obvious fix doesn't work
rustls 0.21 caps rustls-webpki at 0.101, so cargo update -p rustls-webpki can't fix it. The real fix is bumping Helios to a newer jsonrpsee (on rustls 0.23). That's a jsonrpsee 0.19 → 0.2x jump which crosses the hyper 1.0 boundary — scope it carefully; it may need upstream changes in Helios.
Folding Helios/reqwest onto rustls-tls (away from native-tls) in the same pass would also drop the openssl ban exception.
Severity context (why these are accept-for-now, not fund-theft holes)
Custody never rests on TLS: Helios proof-checks every read against the consensus sync committee, signing is local in deckard-signerd, and a signed tx is self-authenticating. The webpki/hickory advisories are liveness / defense-in-depth on the transport, not custody paths. That's why they're safely ignored today — but the ignores should have an exit.
Done when
- Helios is bumped to a
jsonrpsee/rustls 0.23 stack (upstream PR if needed).
- The
rustls-webpki, hickory, and rustls-pemfile ignore entries are removed from deny.toml.
cargo deny check advisories stays green without them.- Bonus: openssl ban exception dropped if the stack moves to
rustls-tls.
Context: docs/AGENTIC-ENGINEERING.md §4. Split out from #40.
Goal
Modernize the Helios light-client dependency stack so we can remove the transitive advisory
ignores fromdeny.tomlat the source, instead of carrying them.This is the one remaining piece of the supply-chain hardening from #40 (the cargo-deny gates themselves are now blocking and green — see #41/#42/#43). It's split out here because it's a self-contained upstream-dependency bump, well-scoped for someone to pick up and take to Helios upstream.
The ignores we want to delete
These live in
deny.toml(currently lines ~26–38) and all ride the Helios →jsonrpsee 0.19→rustls 0.21→rustls-webpki 0.101stack (plus reqwest's resolver for the DNS pair):rustls-webpki 0.101— TLS path-validationhickoryDNS — DoS (via reqwest resolver)rustls-pemfileWhy the obvious fix doesn't work
rustls 0.21capsrustls-webpkiat0.101, socargo update -p rustls-webpkican't fix it. The real fix is bumping Helios to a newerjsonrpsee(onrustls 0.23). That's ajsonrpsee 0.19 → 0.2xjump which crosses thehyper 1.0boundary — scope it carefully; it may need upstream changes in Helios.Folding Helios/reqwest onto
rustls-tls(away fromnative-tls) in the same pass would also drop the openssl ban exception.Severity context (why these are accept-for-now, not fund-theft holes)
Custody never rests on TLS: Helios proof-checks every read against the consensus sync committee, signing is local in
deckard-signerd, and a signed tx is self-authenticating. The webpki/hickory advisories are liveness / defense-in-depth on the transport, not custody paths. That's why they're safelyignored today — but the ignores should have an exit.Done when
jsonrpsee/rustls 0.23stack (upstream PR if needed).rustls-webpki,hickory, andrustls-pemfileignoreentries are removed fromdeny.toml.cargo deny check advisoriesstays green without them.rustls-tls.Context:
docs/AGENTIC-ENGINEERING.md§4. Split out from #40.