We don't run cargo audit automatically but I'm surprised that Dependabot did not report any of these vulnerabilities:
Crate: crossbeam-epoch
Version: 0.9.18
Title: Invalid pointer dereference in `fmt::Pointer` impl for `Atomic` and `Shared` when the underlying pointer is invalid
Date: 2026-07-06
ID: RUSTSEC-2026-0204
URL: https://rustsec.org/advisories/RUSTSEC-2026-0204
Solution: Upgrade to >=0.9.20
Crate: quick-xml
Version: 0.38.4
Title: Quadratic run time when checking a start tag for duplicate attribute names
Date: 2026-06-29
ID: RUSTSEC-2026-0194
URL: https://rustsec.org/advisories/RUSTSEC-2026-0194
Severity: 7.5 (high)
Solution: Upgrade to >=0.41.0
Crate: quick-xml
Version: 0.38.4
Title: Unbounded namespace-declaration allocation in `NsReader` enables memory-exhaustion denial of service
Date: 2026-06-29
ID: RUSTSEC-2026-0195
URL: https://rustsec.org/advisories/RUSTSEC-2026-0195
Severity: 7.5 (high)
Solution: Upgrade to >=0.41.0
Crate: quick-xml
Version: 0.39.2
Title: Quadratic run time when checking a start tag for duplicate attribute names
Date: 2026-06-29
ID: RUSTSEC-2026-0194
URL: https://rustsec.org/advisories/RUSTSEC-2026-0194
Severity: 7.5 (high)
Solution: Upgrade to >=0.41.0
Crate: quick-xml
Version: 0.39.2
Title: Unbounded namespace-declaration allocation in `NsReader` enables memory-exhaustion denial of service
Date: 2026-06-29
ID: RUSTSEC-2026-0195
URL: https://rustsec.org/advisories/RUSTSEC-2026-0195
Severity: 7.5 (high)
Solution: Upgrade to >=0.41.0
Crate: quinn-proto
Version: 0.11.14
Title: Remote memory exhaustion in quinn-proto from unbounded out-of-order stream reassembly
Date: 2026-06-22
ID: RUSTSEC-2026-0185
URL: https://rustsec.org/advisories/RUSTSEC-2026-0185
Severity: 7.5 (high)
Solution: Upgrade to >=0.11.15
Crate: bincode
Version: 1.3.3
Warning: unmaintained
Title: Bincode is unmaintained
Date: 2025-12-16
ID: RUSTSEC-2025-0141
URL: https://rustsec.org/advisories/RUSTSEC-2025-0141
Crate: paste
Version: 1.0.15
Warning: unmaintained
Title: paste - no longer maintained
Date: 2024-10-07
ID: RUSTSEC-2024-0436
URL: https://rustsec.org/advisories/RUSTSEC-2024-0436
Crate: rustybuzz
Version: 0.20.1
Warning: unmaintained
Title: `rustybuzz` is unmaintained
Date: 2026-07-11
ID: RUSTSEC-2026-0206
URL: https://rustsec.org/advisories/RUSTSEC-2026-0206
Crate: ttf-parser
Version: 0.25.1
Warning: unmaintained
Title: `ttf-parser` is unmaintained
Date: 2026-06-28
ID: RUSTSEC-2026-0192
URL: https://rustsec.org/advisories/RUSTSEC-2026-0192
Crate: yaml-rust
Version: 0.4.5
Warning: unmaintained
Title: yaml-rust is unmaintained.
Date: 2024-03-20
ID: RUSTSEC-2024-0320
URL: https://rustsec.org/advisories/RUSTSEC-2024-0320
Crate: anyhow
Version: 1.0.102
Warning: unsound
Title: Unsoundness in `Error::downcast_mut()`
Date: 2026-06-25
ID: RUSTSEC-2026-0190
URL: https://rustsec.org/advisories/RUSTSEC-2026-0190
Crate: memmap2
Version: 0.9.10
Warning: unsound
Title: Unchecked pointer offset in crate `memmap2`
Date: 2026-06-20
ID: RUSTSEC-2026-0186
URL: https://rustsec.org/advisories/RUSTSEC-2026-0186
Crate: rand
Version: 0.8.5
Warning: unsound
Title: Rand is unsound with a custom logger using `rand::rng()`
Date: 2026-04-09
ID: RUSTSEC-2026-0097
URL: https://rustsec.org/advisories/RUSTSEC-2026-0097
Crate: spin
Version: 0.9.8
Warning: yanked
error: 6 vulnerabilities found!
warning: 9 allowed warnings found
We don't run
cargo auditautomatically but I'm surprised that Dependabot did not report any of these vulnerabilities: