security: 5 CVE advisories in Cargo.lock (bridge triage, Track E)

[hyperpolymath]

panic-attack estate sweep — Track E bridge triage

panic-attack bridge triage (RustSec advisory DB, with reachability analysis) found 5 CVE/advisory findings in this repo's Cargo.lock (out of 227 total dependencies; 5 vulnerable).

Severity: medium: 5
Reachability: phantom: 5
Classification: informational: 5

Each finding includes a recommended action (often Remove unused dependency for phantom-imported crates). Reachability phantom = declared in Cargo.toml but never imported in any .rs file — removing the dep eliminates the CVE entirely with no behavioural change.

Estate tracker: hyperpolymath/panic-attack#32.

Findings

full advisory list

RUSTSEC-2021-0153  encoding@0.2.33  medium  reach=phantom  class=informational  fix=
GHSA-h97m-ww89-6jmq  idna@0.4.0  medium  reach=phantom  class=informational  fix=
RUSTSEC-2024-0421  idna@0.4.0  medium  reach=phantom  class=informational  fix=
GHSA-phqj-4mhp-q6mq  openssl@0.10.79  medium  reach=phantom  class=informational  fix=
RUSTSEC-2025-0017  trust-dns-proto@0.23.2  medium  reach=phantom  class=informational  fix=

---

🤖 Discovered during the panic-attack estate sweep (2026-05-26) — Track E (bridge triage). See hyperpolymath/panic-attack#32 for campaign tracker.

[hyperpolymath]

Cohort E-3 — vendored-pin allowlist (do NOT strip)

This repo contains a vendored-pin pattern in vext-core/Cargo.toml:

# TLS support (use vendored OpenSSL for cross-compilation)
native-tls = "0.2"
tokio-native-tls = "0.3"
openssl-sys = { version = "0.9", features = ["vendored"] }

Why this is load-bearing

openssl-sys with features = ["vendored"] builds OpenSSL from source via openssl-src rather than linking the system library. This is critical for:

• Cross-compilation (no system libssl-dev required on the target)
• Reproducible builds across Debian/Ubuntu/Alpine variants
• The cargo-deb / generate-rpm packaging targets declared further down

A use openssl_sys::* site does not exist in .rs source (the crate is used purely for its build-script side-effect of forcing vendored linkage of the underlying openssl-src chain that native-tls then consumes). cargo machete or other phantom-detectors will incorrectly flag this dep as removable — it must not be stripped.

Phantom advisories in this issue

All 5 advisories (encoding, idna, openssl@0.10.79, trust-dns-proto) are transitive through native-tls / trust-dns-resolver, not direct deps. There is no safe single-line strip available in this repo. Mitigation path is upstream version bumps (trust-dns-resolver → hickory-resolver, native-tls → rustls) — out of scope for the Cohort E mechanical sweep.

Tracking

Allowlist policy filed at hyperpolymath/panic-attack (linked from this comment when issue lands) so future cargo machete --fix runs skip openssl-sys with vendored feature and any links = directive.

No phantom-strip PR will be filed against this repo under Cohort E-3.

🤖 Track E Cohort E-3 triage — 2026-05-27

[hyperpolymath]

Allowlist tracking issue filed: hyperpolymath/panic-attack#74