mirror of
https://github.com/huggingface/xet-core.git
synced 2026-06-04 13:30:29 +08:00
5868f64ab9
CI for hf-hub is running cargo audit and found many issues through
hf-xet transitive deps. this PR attempts to solve some of them (not
necessarily all of them).
Main changes:
- dropped derivative and reqwest-retry
- replaced bincode with postcard, only used in testing
- upgrade xet-core rand usage
- added audit CI step and ignoring some issues that we can't easily fix.
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Medium risk because it removes `reqwest-retry`/`derivative` and
replaces part of the retry classification logic with an in-house
equivalent, which could subtly change HTTP retry behavior; the remaining
changes are dependency/version bumps and test-only serialization swaps.
>
> **Overview**
> Adds a new CI `cargo audit` job and introduces `.cargo/audit.toml` to
ignore a small set of **dev-only** RustSec advisories with documented
rationale.
>
> Reduces audit surface by dropping `derivative` (manual `Debug` impl
for `AuthConfig`) and removing `reqwest-retry`, replacing its
status-code classification with a local `Retryable` enum +
`default_on_request_success` helper in `RetryWrapper`.
>
> Updates workspace deps (notably `rand` to `0.10` and `rand_distr` to
`0.6`) and adjusts call sites to the newer `rand` APIs (`RngExt`
imports, minor test/bench tweaks). Test-only binary serialization
switches from `bincode` to `postcard` (and updates affected tests), with
corresponding lockfile updates across crates.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
26377f4a1c. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
23 lines
1.2 KiB
TOML
23 lines
1.2 KiB
TOML
# cargo audit configuration
|
|
# Docs: https://docs.rs/cargo-audit/latest/cargo_audit/config/index.html
|
|
#
|
|
# Add RUSTSEC IDs to `ignore` below when an advisory applies only to
|
|
# dev-dependencies (cargo audit can't distinguish dev vs normal deps on its
|
|
# own since Cargo.lock doesn't carry that info).
|
|
#
|
|
# To confirm a crate is reachable only via dev/build edges:
|
|
# cargo tree --invert --edges=normal <crate>
|
|
# If that prints nothing, the advisory is dev-only and safe to ignore here.
|
|
# Always include a comment explaining why each entry is ignored.
|
|
|
|
[advisories]
|
|
ignore = [
|
|
"RUSTSEC-2026-0074", # libcrux-sha3 0.0.4 — dev-only via russh (ssh for git_xet integration tests)
|
|
"RUSTSEC-2023-0071", # rsa 0.9.10 — dev-only via russh (ssh for git_xet integration tests)
|
|
"RUSTSEC-2025-0052", # async-std discontinued — dev-only via russh → libcrux
|
|
"RUSTSEC-2023-0089", # atomic-polyfill unmaintained — dev-only
|
|
"RUSTSEC-2024-0375", # atty unmaintained — dev-only
|
|
"RUSTSEC-2021-0145", # atty potential unaligned read — dev-only
|
|
"RUSTSEC-2026-0097", # rand unsound with custom `log` feature — `log` feature not enabled in our tree (rand 0.8.5 and rand 0.9.2 both dev-only via russh → libcrux)
|
|
]
|