[advisories] ignore = [ # hickory-proto 0.25.x pulled in transitively via mongodb → hickory-resolver. # MongoDB 3.x has not yet released with hickory-resolver 0.26.x, so we cannot # upgrade past this without a mongodb release. Both are DNS-layer DoS vectors # requiring a MITM/controlled DNS server against MongoDB's hostname resolution — # not a realistic attack surface here. Revisit when mongodb bumps hickory. "RUSTSEC-2026-0118", # NSEC3 loop, no fix available upstream "RUSTSEC-2026-0119", # O(n²) name compression, fixed in hickory-proto >=0.26.1 # rmcp 0.16.0 — DNS rebinding in Streamable HTTP server transport (missing # Host header validation). Patched in rmcp >= 1.4.0, which is a major API # version jump from our pin; rmcp shipped 0.x → 1.x → 2.x in three months # and the migration touches every tool handler + the auth middleware we # just landed in #92. Threat model in our deployment: the MCP server is # exposed at a public hostname (comp-mcp-dev.meghsakha.com) behind orca's # TLS-terminating ingress with per-tenant bearer auth — the attack model # (browser DNS-rebinding into localhost MCP server) doesn't directly apply. # Defense-in-depth Host-header check is still a worthwhile follow-up. # FOLLOW-UP: bump rmcp to 2.x in a dedicated PR (M7.3 follow-up, sized # multi-hour due to API surface change). "RUSTSEC-2026-0189", ]