[PR #6727] [CLOSED] Remediations/audit 2025 11 09 #3803

Closed
opened 2026-02-05 05:45:26 +03:00 by OVERLORD · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/6727
Author: @kalvinparker
Created: 1/16/2026
Status: Closed

Base: mainHead: remediations/audit-2025-11-09


📝 Commits (10+)

  • 0951c8d Add supply chain audit workflow with cargo-audit and cargo-deny steps
  • 54053f7 Add audit and deny command error messages to respective files
  • 1f2cadc chore(audit): add cargo-deny policy, CI audit workflow and security note (2025-11-09)
  • e3d2518 chore(deps): attempt bump openidconnect and rmpv to avoid transitive rsa/paste
  • 5818cbf chore(audit): fix deny.toml to valid cargo-deny format
  • f84d861 chore(audit): make deny.toml parseable by cargo-deny
  • eb07761 chore(deps): revert attempted openidconnect/rmpv bumps (incompatible with crates.io)
  • 22ff369 chore(deps): allow caret ranges for rmpv and openidconnect to permit safe published bumps
  • f16723c chore(audit): add temporary deny exceptions for rsa and paste; add tracking issue and document in audit note
  • a64bf18 chore(audit): format deny.toml license exceptions as licenses.exceptions (cargo-deny compatible)

📊 Changes

81 files changed (+2112 additions, -6 deletions)

View changed files

.github/PR_BODY_UPDATE-2.md (+30 -0)
.github/workflows/audit.yml (+37 -0)
.github/workflows/supply-chain-audit-registered.yml (+59 -0)
.github/workflows/supply-chain-audit.yml (+70 -0)
📝 Cargo.lock (+4 -4)
📝 Cargo.toml (+2 -2)
SECURITY-AUDIT-2025-11-09.md (+56 -0)
audit.txt (+18 -0)
deny-advisories.txt (+6 -0)
deny-licenses.txt (+6 -0)
deny.toml (+29 -0)
docker/audit/Dockerfile (+19 -0)
docker/audit/audit.sh (+14 -0)
docker/audit/exp/patch_and_run.sh (+18 -0)
docker/audit/exp/reqwest_native_exp.sh (+16 -0)
docker/audit/output/ar_exp.done (+1 -0)
docker/audit/output/cargo-audit.err (+12 -0)
docker/audit/output/cargo-audit.json (+0 -0)
docker/audit/output/cargo-deny-advisories.err (+2 -0)
docker/audit/output/cargo-deny-advisories.json (+0 -0)

...and 61 more files

📄 Description

No description provided


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/6727 **Author:** [@kalvinparker](https://github.com/kalvinparker) **Created:** 1/16/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `remediations/audit-2025-11-09` --- ### 📝 Commits (10+) - [`0951c8d`](https://github.com/dani-garcia/vaultwarden/commit/0951c8d220497dfdc294163112ae69e31780ba79) Add supply chain audit workflow with cargo-audit and cargo-deny steps - [`54053f7`](https://github.com/dani-garcia/vaultwarden/commit/54053f7e28fb67d32c8a8cbb441e489949df23f2) Add audit and deny command error messages to respective files - [`1f2cadc`](https://github.com/dani-garcia/vaultwarden/commit/1f2cadc8b26ff5e98789f32357583545954180a4) chore(audit): add cargo-deny policy, CI audit workflow and security note (2025-11-09) - [`e3d2518`](https://github.com/dani-garcia/vaultwarden/commit/e3d25181b5d6fba6396335fc574ccd878487e008) chore(deps): attempt bump openidconnect and rmpv to avoid transitive rsa/paste - [`5818cbf`](https://github.com/dani-garcia/vaultwarden/commit/5818cbfff91bd08aeea6337668f949b7009eefeb) chore(audit): fix deny.toml to valid cargo-deny format - [`f84d861`](https://github.com/dani-garcia/vaultwarden/commit/f84d86174631f3744ac8651589246fb580892bad) chore(audit): make deny.toml parseable by cargo-deny - [`eb07761`](https://github.com/dani-garcia/vaultwarden/commit/eb077610b8409546fbccbedd1beaac1e899a45a0) chore(deps): revert attempted openidconnect/rmpv bumps (incompatible with crates.io) - [`22ff369`](https://github.com/dani-garcia/vaultwarden/commit/22ff36919c011a80e37a5d7be5a1edc4d99ef0fb) chore(deps): allow caret ranges for rmpv and openidconnect to permit safe published bumps - [`f16723c`](https://github.com/dani-garcia/vaultwarden/commit/f16723c8d8610ef093e7046af8439bb02875d865) chore(audit): add temporary deny exceptions for rsa and paste; add tracking issue and document in audit note - [`a64bf18`](https://github.com/dani-garcia/vaultwarden/commit/a64bf189356b471e004af29f4a7b298f4bcb2797) chore(audit): format deny.toml license exceptions as [[licenses.exceptions]] (cargo-deny compatible) ### 📊 Changes **81 files changed** (+2112 additions, -6 deletions) <details> <summary>View changed files</summary> ➕ `.github/PR_BODY_UPDATE-2.md` (+30 -0) ➕ `.github/workflows/audit.yml` (+37 -0) ➕ `.github/workflows/supply-chain-audit-registered.yml` (+59 -0) ➕ `.github/workflows/supply-chain-audit.yml` (+70 -0) 📝 `Cargo.lock` (+4 -4) 📝 `Cargo.toml` (+2 -2) ➕ `SECURITY-AUDIT-2025-11-09.md` (+56 -0) ➕ `audit.txt` (+18 -0) ➕ `deny-advisories.txt` (+6 -0) ➕ `deny-licenses.txt` (+6 -0) ➕ `deny.toml` (+29 -0) ➕ `docker/audit/Dockerfile` (+19 -0) ➕ `docker/audit/audit.sh` (+14 -0) ➕ `docker/audit/exp/patch_and_run.sh` (+18 -0) ➕ `docker/audit/exp/reqwest_native_exp.sh` (+16 -0) ➕ `docker/audit/output/ar_exp.done` (+1 -0) ➕ `docker/audit/output/cargo-audit.err` (+12 -0) ➕ `docker/audit/output/cargo-audit.json` (+0 -0) ➕ `docker/audit/output/cargo-deny-advisories.err` (+2 -0) ➕ `docker/audit/output/cargo-deny-advisories.json` (+0 -0) _...and 61 more files_ </details> ### 📄 Description _No description provided_ --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
OVERLORD added the pull-request label 2026-02-05 05:45:26 +03:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#3803