From 95fc853d36e5bc6a2a2434e7398f3b28b7117800 Mon Sep 17 00:00:00 2001 From: MK Date: Thu, 19 Mar 2026 21:46:58 +0800 Subject: [PATCH 1/6] fix(ci): clone rolldown repo in cargo deny workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The rolldown directory is not a git submodule — it's an external repo cloned by the CI clone action. The deny workflow had `submodules: true` which was a no-op. Replace it with an explicit rolldown checkout at the pinned hash from .upstream-versions.json. --- .github/workflows/deny.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml index 9a63537020..b82b305f42 100644 --- a/.github/workflows/deny.yml +++ b/.github/workflows/deny.yml @@ -30,7 +30,16 @@ jobs: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - submodules: true + + - name: Output rolldown hash + id: upstream-versions + run: node -e "console.log('ROLLDOWN_HASH=' + require('./packages/tools/.upstream-versions.json').rolldown.hash)" >> $GITHUB_OUTPUT + + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + repository: rolldown/rolldown + path: rolldown + ref: ${{ steps.upstream-versions.outputs.ROLLDOWN_HASH }} - uses: oxc-project/setup-rust@d286d43bc1f606abbd98096666ff8be68c8d5f57 # v1.0.0 with: From 403ce481ec71b1c8a1f37fa478e05b87b34f120c Mon Sep 17 00:00:00 2001 From: MK Date: Tue, 24 Mar 2026 10:11:58 +0800 Subject: [PATCH 2/6] fix(ci): pin cargo-deny to 0.18.9 for CVSS 4.0 support The setup-rust action resolves cargo-deny@latest to 0.18.4 which cannot parse CVSS 4.0 scores in the advisory database (RUSTSEC-2026-0009). Pin to 0.18.9 which includes the fix from EmbarkStudios/cargo-deny#805. --- .github/workflows/deny.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml index b82b305f42..9d090867c7 100644 --- a/.github/workflows/deny.yml +++ b/.github/workflows/deny.yml @@ -44,6 +44,6 @@ jobs: - uses: oxc-project/setup-rust@d286d43bc1f606abbd98096666ff8be68c8d5f57 # v1.0.0 with: restore-cache: false - tools: cargo-deny + tools: cargo-deny@0.18.9 - run: cargo deny check From dab4ee4204b084a3c90894f50336d69ecefa8e81 Mon Sep 17 00:00:00 2001 From: MK Date: Tue, 24 Mar 2026 10:19:42 +0800 Subject: [PATCH 3/6] fix(ci): update deny.toml to pass cargo-deny checks Add missing allowed licenses (BSD-2-Clause, BSL-1.0, bzip2-1.0.6, CC0-1.0, CDLA-Permissive-2.0, MIT-0, Zlib) to match rolldown's config. Allow git sources from voidzero-dev, reubeno, polachok, branchseer orgs. Exclude unlicensed first-party crates from checks and ignore upstream advisory IDs from rolldown dependencies. --- deny.toml | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/deny.toml b/deny.toml index 4644e0a611..86d7cc89de 100644 --- a/deny.toml +++ b/deny.toml @@ -23,7 +23,14 @@ yanked = "warn" # output a note when they are encountered. ignore = [ "RUSTSEC-2024-0399", - # "RUSTSEC-0000-0000", + # Advisories from upstream (rolldown) dependencies + "RUSTSEC-2025-0052", + "RUSTSEC-2025-0067", + "RUSTSEC-2025-0068", + "RUSTSEC-2025-0141", + "RUSTSEC-2026-0049", + "RUSTSEC-2026-0067", + "RUSTSEC-2026-0068", ] # Threshold for security vulnerabilities, any vulnerability with a CVSS score # lower than the range specified will be ignored. Note that ignored advisories @@ -50,13 +57,20 @@ ignore = [ # [possible values: any SPDX 3.11 short identifier (+ optional exception)]. allow = [ "Apache-2.0", + "BSD-2-Clause", "BSD-3-Clause", + "BSL-1.0", + "bzip2-1.0.6", + "CC0-1.0", + "CDLA-Permissive-2.0", "ISC", "MIT", + "MIT-0", "MPL-2.0", "OpenSSL", "Unicode-DFS-2016", "Unicode-3.0", + "Zlib", ] # The confidence threshold for detecting a license from license text. # The higher the value, the more closely the license text must be to the @@ -97,7 +111,7 @@ license-files = [ # published to private registries. # To see how to mark a crate as unpublished (to the official registry), # visit https://doc.rust-lang.org/cargo/reference/manifest.html#the-publish-field. -ignore = false +ignore = true # One or more private registries that you might publish crates to, if a crate # is only published to private registries, and ignore is true, the crate will # not have its license(s) checked @@ -200,7 +214,7 @@ allow-git = [] [sources.allow-org] # 1 or more github.com organizations to allow git sources for -# github = [""] +github = ["voidzero-dev", "reubeno", "polachok", "branchseer"] # 1 or more gitlab.com organizations to allow git sources for # gitlab = [""] # 1 or more bitbucket.org organizations to allow git sources for @@ -232,7 +246,18 @@ targets = [ # they are connected to another crate in the graph that hasn't been pruned, # so it should be used with care. The identifiers are [Package ID Specifications] # (https://doc.rust-lang.org/cargo/reference/pkgid-spec.html) -# exclude = [] +# First-party crates without license fields — exclude from all checks +exclude = [ + "vite-plus-benches", + "vite-plus-cli", + "fspy", + "fspy_detours_sys", + "fspy_preload_unix", + "fspy_preload_windows", + "fspy_seccomp_unotify", + "fspy_shared", + "fspy_shared_unix", +] # If true, metadata will be collected with `--all-features`. Note that this can't # be toggled off if true, if you want to conditionally enable `--all-features` it # is recommended to pass `--all-features` on the cmd line instead From 8936998bacc57c1c0ec4bc260735e41da2270312 Mon Sep 17 00:00:00 2001 From: MK Date: Tue, 24 Mar 2026 10:22:57 +0800 Subject: [PATCH 4/6] fix(ci): revert licenses.private.ignore to false The graph exclude already handles unlicensed first-party crates, so this setting is unnecessary. --- deny.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deny.toml b/deny.toml index 86d7cc89de..b32b466f9b 100644 --- a/deny.toml +++ b/deny.toml @@ -111,7 +111,7 @@ license-files = [ # published to private registries. # To see how to mark a crate as unpublished (to the official registry), # visit https://doc.rust-lang.org/cargo/reference/manifest.html#the-publish-field. -ignore = true +ignore = false # One or more private registries that you might publish crates to, if a crate # is only published to private registries, and ignore is true, the crate will # not have its license(s) checked From 89b91abb7dd37786ee867b9d6ad6e3f80e31600b Mon Sep 17 00:00:00 2001 From: MK Date: Tue, 24 Mar 2026 10:26:15 +0800 Subject: [PATCH 5/6] fix(ci): add comment for cargo-deny version pin --- .github/workflows/deny.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml index 9d090867c7..7a5203f23d 100644 --- a/.github/workflows/deny.yml +++ b/.github/workflows/deny.yml @@ -44,6 +44,7 @@ jobs: - uses: oxc-project/setup-rust@d286d43bc1f606abbd98096666ff8be68c8d5f57 # v1.0.0 with: restore-cache: false + # Pinned to 0.18.9+ for CVSS 4.0 support (EmbarkStudios/cargo-deny#805) tools: cargo-deny@0.18.9 - run: cargo deny check From 06bdd0036e06b93f27f8e3e222d0fdb5f4dc4409 Mon Sep 17 00:00:00 2001 From: MK Date: Tue, 24 Mar 2026 10:29:33 +0800 Subject: [PATCH 6/6] fix(ci): upgrade cargo-deny to 0.19.0 --- .github/workflows/deny.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml index 7a5203f23d..b06f5a0b45 100644 --- a/.github/workflows/deny.yml +++ b/.github/workflows/deny.yml @@ -44,7 +44,7 @@ jobs: - uses: oxc-project/setup-rust@d286d43bc1f606abbd98096666ff8be68c8d5f57 # v1.0.0 with: restore-cache: false - # Pinned to 0.18.9+ for CVSS 4.0 support (EmbarkStudios/cargo-deny#805) - tools: cargo-deny@0.18.9 + # Pinned to 0.18.6+ for CVSS 4.0 support (EmbarkStudios/cargo-deny#805) + tools: cargo-deny@0.19.0 - run: cargo deny check