From 3edd1d50acb22cde4b78e2e731d46f7ff85196a6 Mon Sep 17 00:00:00 2001
From: Sharang Parnerkar <30073382+mighty840@users.noreply.github.com>
Date: Tue, 12 May 2026 12:47:16 +0200
Subject: [PATCH] fix: resolve cargo audit failures
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Update rustls-webpki 0.103.10 → 0.103.13 (fixes RUSTSEC-2026-0098,
  RUSTSEC-2026-0099, RUSTSEC-2026-0104)
- Update mongodb 3.5.1 → 3.6.0 (latest compatible 3.x)
- Add .cargo/audit.toml ignoring two hickory-proto advisories that cannot
  be fixed: mongodb 3.x pins hickory-resolver 0.25.x which pins
  hickory-proto 0.25.x; RUSTSEC-2026-0118 has no upstream fix at all,
  RUSTSEC-2026-0119 requires hickory-proto >=0.26.1 which mongodb does
  not yet support. Both are DNS-layer DoS vectors requiring control of
  the DNS server responding to MongoDB's hostname resolution.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .cargo/audit.toml | 10 ++++++++++
 Cargo.lock        | 12 ++++++------
 2 files changed, 16 insertions(+), 6 deletions(-)
 create mode 100644 .cargo/audit.toml

diff --git a/.cargo/audit.toml b/.cargo/audit.toml
new file mode 100644
index 0000000..e183aab
--- /dev/null
+++ b/.cargo/audit.toml
@@ -0,0 +1,10 @@
+[advisories]
+ignore = [
+    # hickory-proto 0.25.x pulled in transitively via mongodb → hickory-resolver.
+    # MongoDB 3.x has not yet released with hickory-resolver 0.26.x, so we cannot
+    # upgrade past this without a mongodb release. Both are DNS-layer DoS vectors
+    # requiring a MITM/controlled DNS server against MongoDB's hostname resolution —
+    # not a realistic attack surface here. Revisit when mongodb bumps hickory.
+    "RUSTSEC-2026-0118", # NSEC3 loop, no fix available upstream
+    "RUSTSEC-2026-0119", # O(n²) name compression, fixed in hickory-proto >=0.26.1
+]
diff --git a/Cargo.lock b/Cargo.lock
index 378dada..0714ef6 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -3524,9 +3524,9 @@ checksum = "224484c5d09285a7b8cb0a0c117e847ebd14cb6e4470ecf68cdb89c503b0edb9"
 
 [[package]]
 name = "mongodb"
-version = "3.5.1"
+version = "3.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "803dd859e8afa084c255a8effd8000ff86f7c8076a50cd6d8c99e8f3496f75c2"
+checksum = "1ef2c933617431ad0246fb5b43c425ebdae18c7f7259c87de0726d93b0e7e91b"
 dependencies = [
  "base64",
  "bitflags",
@@ -3570,9 +3570,9 @@ dependencies = [
 
 [[package]]
 name = "mongodb-internal-macros"
-version = "3.5.1"
+version = "3.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a973ef3dd3dbc6f6e65bbdecfd9ec5e781b9e7493b0f369a7c62e35d8e5ae2c8"
+checksum = "9e5758dc828eb2d02ec30563cba365609d56ddd833190b192beaee2b475a7bb3"
 dependencies = [
  "macro_magic",
  "proc-macro2",
@@ -4699,9 +4699,9 @@ dependencies = [
 
 [[package]]
 name = "rustls-webpki"
-version = "0.103.10"
+version = "0.103.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef"
+checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e"
 dependencies = [
  "ring",
  "rustls-pki-types",