chore: Ignore RUSTSEC-2026-0097 in deny.toml

siegfriedweber · siegfriedweber · commit 74b5ac7ffbdf · 2026-04-15T13:45:57.000+02:00
diff --git a/deny.toml b/deny.toml
@@ -38,6 +38,16 @@ ignore = [
     #
     # This can only be removed again if we decide to use a different crate.
     "RUSTSEC-2024-0436",
+
+    # https://rustsec.org/advisories/RUSTSEC-2026-0097
+    # rand 0.8.5 is unsound when log+thread_rng features are enabled and a custom logger calls rand::rng().
+    #
+    # This version is pulled in transitively via num-bigint-dig -> rsa -> stackable-certs and cannot be
+    # updated until the upstream rsa crate bumps its rand dependency.
+    #
+    # This should be fixed in rsa v0.10.
+    # Release tracking issue: https://github.com/RustCrypto/RSA/issues/647
+    "RUSTSEC-2026-0097",
 ]
 
 [bans]
