Skip to content

Fix CI failure by Ignore quick-xml audit advisories #23298

Merged
Jefffrey merged 1 commit into
apache:mainfrom
alamb:codex/ignore-quick-xml-audit
Jul 3, 2026
Merged

Fix CI failure by Ignore quick-xml audit advisories #23298
Jefffrey merged 1 commit into
apache:mainfrom
alamb:codex/ignore-quick-xml-audit

Conversation

@alamb

@alamb alamb commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Which issue does this PR close?

Rationale for this change

The audit workflow is failing on main due to the quick-xml advisories:

  • RUSTSEC-2026-0194
  • RUSTSEC-2026-0195

quick-xml is pulled in transitively through object_store, and the released object_store version currently used by DataFusion does not yet depend on quick-xml >= 0.41.0.

What changes are included in this PR?

This temporarily ignores the two quick-xml RustSec advisories in the audit workflow and documents that the ignores should be removed once object_store upgrades to quick-xml >= 0.41.0.

This is what I did in arrow-rs as well

Are these changes tested?

By CI

Are there any user-facing changes?

No.

@github-actions github-actions Bot added the development-process Related to development process of DataFusion label Jul 2, 2026
@alamb alamb changed the title chore: Ignore quick-xml audit advisories Fix CI failure by Ignore quick-xml audit advisories Jul 2, 2026
@alamb alamb marked this pull request as ready for review July 2, 2026 21:34
@Jefffrey Jefffrey added this pull request to the merge queue Jul 3, 2026
@Jefffrey

Jefffrey commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

thanks @alamb

Merged via the queue into apache:main with commit 094ad31 Jul 3, 2026
37 checks passed
comphead pushed a commit that referenced this pull request Jul 15, 2026
## Which issue does this PR close?

- Part of #22547 (54.1.0 release)

## Rationale for this change

`cargo audit` is failing on `branch-54` with 7 vulnerabilities across 5
crates:

- `crossbeam-epoch` 0.9.18:
[RUSTSEC-2026-0204](https://rustsec.org/advisories/RUSTSEC-2026-0204)
- `postgres-protocol` 0.6.11:
[RUSTSEC-2026-0179](https://rustsec.org/advisories/RUSTSEC-2026-0179)
(high),
[RUSTSEC-2026-0180](https://rustsec.org/advisories/RUSTSEC-2026-0180)
- `quinn-proto` 0.11.14:
[RUSTSEC-2026-0185](https://rustsec.org/advisories/RUSTSEC-2026-0185)
(high)
- `tokio-postgres` 0.7.17:
[RUSTSEC-2026-0178](https://rustsec.org/advisories/RUSTSEC-2026-0178)
- `quick-xml` 0.39.2:
[RUSTSEC-2026-0194](https://rustsec.org/advisories/RUSTSEC-2026-0194)
(high),
[RUSTSEC-2026-0195](https://rustsec.org/advisories/RUSTSEC-2026-0195)
(high)

This follows the model of similar fixes on earlier maintenance branches:
- #21415 (branch-52)
- #21587 (branch-53)

## What changes are included in this PR?

- `cargo update` for crates that have dependencies
- Add ignore for the two `quick-xml` advisories. The fix requires
`quick-xml` 0.41, which is only used by `object_store` 0.14 — a breaking
upgrade that can not be backported to this maintenance branch. The same
advisories are ignored on `main` (added in #23298, tracked by #23297).

## Are these changes tested?

Yes, by CI. `cargo audit` now passes locally with the ignore flags (only
allowed warnings remain).

## Are there any user-facing changes?

No, dependency version bumps in `Cargo.lock` and a CI change only.

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

development-process Related to development process of DataFusion

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Cargo audit is failing on main

2 participants