fix: suppress cargo deny warnings

[hanabi1224]

Summary of changes

Changes introduced in this pull request:

Reference issue to close (if applicable)

Closes #6390

Other information and links

Change checklist

• I have performed a self-review of my own code,
• I have made corresponding changes to the documentation. All new code adheres to the team's documentation standards,
• I have added tests that prove my fix is effective or that my feature works (if possible),
• I have made sure the CHANGELOG is up-to-date. All user-facing changes should be reflected in this document.

Summary by CodeRabbit

• Chores
  • Added two advisories to the security ignore list to accommodate specific upstream dependencies (bincode and libp2p-swarm); no functional or API changes were made.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Two advisory IDs were added to the [advisories] ignore list in deny.toml: RUSTSEC-2025-0141 and RUSTSEC-2026-0002. No other files or code were modified.

Changes

Cohort / File(s)	Summary
Configuration update deny.toml	Added two advisory IDs to the [advisories] ignore list: RUSTSEC-2025-0141 (unmaintained: bincode) and RUSTSEC-2026-0002 (dependency of libp2p-swarm).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• chore: suppress RUSTSEC-2025-0046 #5852 — Adds RUSTSEC advisory IDs to deny.toml's [advisories] ignore list.
• fix: ignore a few RUSTSECs #6180 — Modifies deny.toml's [advisories] ignore list by adding RUSTSEC entries.
• fix: ignore RUSTSEC-2025-0046 #6156 — Adds entries to deny.toml's [advisories] ignore list to silence RustSec advisories.

Suggested reviewers

• LesnyRumcajs
• akaladarshi

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: suppress cargo deny warnings' directly and clearly describes the main change in the PR, which adds advisories to the ignore list in deny.toml to suppress cargo-deny warnings.
Linked Issues check	✅ Passed	The PR changes directly address the linked issue #6390 by suppressing the cargo-deny advisories check failures through modifications to deny.toml.
Out of Scope Changes check	✅ Passed	All changes in the PR are within scope, limited to modifications in deny.toml to suppress specific cargo-deny advisories as required by the linked issue.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

📜 Recent review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 05f9c7a and 43ff6dd.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• deny.toml

🚧 Files skipped from review as they are similar to previous changes (1)

• deny.toml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: Build Ubuntu
• GitHub Check: Build MacOS
• GitHub Check: cargo-publish-dry-run
• GitHub Check: Coverage
• GitHub Check: All lint checks
• GitHub Check: Build forest binaries on Linux AMD64
• GitHub Check: tests-release

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ccd220c and 05f9c7a.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• deny.toml

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 6074
File: src/rpc/methods/chain.rs:55-56
Timestamp: 2025-09-17T11:32:44.185Z
Learning: In the Forest codebase, hanabi1224 prefers that CodeRabbit should not warn about potential compilation issues (such as Send bounds, async/await compatibility, etc.) since they are already guarded by CI tests. Focus should be on higher-level design and logic issues instead.

Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 5946
File: src/rpc/methods/state.rs:1459-1463
Timestamp: 2025-08-19T11:25:56.710Z
Learning: hanabi1224 prefers that CodeRabbit should not warn about compilation errors in the Forest codebase since they are already guarded by CI tests. Focus should be on higher-level design and logic issues instead.

Learnt from: elmattic
Repo: ChainSafe/forest PR: 6128
File: src/ipld/util.rs:23-30
Timestamp: 2025-10-17T09:36:15.757Z
Learning: Always run `cargo check` or `cargo build` to verify actual compilation errors in the Forest codebase before flagging them as issues. Do not rely solely on documentation or assumptions about trait implementations.

Learnt from: elmattic
Repo: ChainSafe/forest PR: 6128
File: src/ipld/util.rs:23-30
Timestamp: 2025-10-17T09:36:15.757Z
Learning: Always run `cargo check` or `cargo build` to verify actual compilation errors in the Forest codebase before flagging them as issues. Do not rely solely on documentation or assumptions about trait implementations.

Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 5930
File: build.rs:64-77
Timestamp: 2025-08-13T09:43:20.301Z
Learning: hanabi1224 prefers hard compile-time errors in build scripts rather than runtime safeguards or collision detection, believing it's better to fail fast and fix root causes of issues like malformed snapshot names.

Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 6057
File: src/cli/subcommands/f3_cmd.rs:0-0
Timestamp: 2025-09-09T10:37:17.947Z
Learning: hanabi1224 prefers having default timeouts (like 10m for --no-progress-timeout) to prevent commands from hanging indefinitely, even when the timeout flag isn't explicitly provided by users. This fail-fast approach is preferred over requiring explicit flag usage.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: tests-release
• GitHub Check: Coverage
• GitHub Check: Build forest binaries on Linux AMD64
• GitHub Check: Build Ubuntu
• GitHub Check: cargo-publish-dry-run
• GitHub Check: Build MacOS
• GitHub Check: All lint checks

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

cat -n deny.toml

Repository: ChainSafe/forest

Length of output: 1595

---

🏁 Script executed:

# Search for bincode and libp2p-swarm usage
rg -n '\bbincode\b' --type rust -A2 -B2

Repository: ChainSafe/forest

Length of output: 42

---

🏁 Script executed:

# Check for libp2p-swarm references
rg -n 'libp2p-swarm' --type toml

Repository: ChainSafe/forest

Length of output: 1023

---

🏁 Script executed:

# Check Cargo.lock or Cargo.toml files for these dependencies
fd -e toml -x rg -l 'bincode|libp2p-swarm' 2>/dev/null

Repository: ChainSafe/forest

Length of output: 111

---

🏁 Script executed:

# Try to fetch advisory details from RustSec database
python3 <<'EOF'
import urllib.request
import json

advisories = ["RUSTSEC-2025-0141", "RUSTSEC-2026-0002"]

for advisory_id in advisories:
    try:
        url = f"https://rustsec.org/advisories/{advisory_id}.json"
        with urllib.request.urlopen(url, timeout=5) as response:
            data = json.loads(response.read().decode())
            print(f"\n=== {advisory_id} ===")
            print(json.dumps(data, indent=2)[:500])
    except Exception as e:
        print(f"\n=== {advisory_id} ===")
        print(f"Error fetching: {e}")
EOF

Repository: ChainSafe/forest

Length of output: 146

---

🌐 Web query:

RUSTSEC-2025-0141 bincode unmaintained

💡 Result:

I couldn't find a RustSec advisory with the ID RUSTSEC-2025-0141. However, the bincode crate has been marked unmaintained by its maintainers (archive on GitHub and a final crates.io/docs release noting development has ceased). See:

• docs.rs bincode (notice "Bincode is now unmaintained"). [1]
• bincode GitHub repo archived by owner. [2]
• crates.io / release metadata showing v3.0.0 (final) and notes. [3]

If you want, I can: (a) open the official rustsec.org advisories page and search again, or (b) list recommended maintained alternatives and migration guidance. Which would you prefer?

---

🌐 Web query:

RUSTSEC-2026-0002 libp2p-swarm vulnerability

💡 Result:

There is no RustSec advisory RUSTSEC-2026-0002 for libp2p-swarm. RUSTSEC-2026-0002 is an advisory for the lru crate (IterMut soundness issue). [1]

If you meant libp2p resource-exhaustion issues: the relevant RustSec advisory is RUSTSEC-2022-0084 (libp2p DoS/resource-exhaustion, fixed in >=0.45.1). See also NVD/OSV entries for CVE-2022-23486. [2][3]

Sources

• RUSTSEC-2026-0002 (lru advisory). [1]
• RUSTSEC-2022-0084 (libp2p DoS advisory). [2]
• NVD / CVE-2022-23486 (libp2p resource exhaustion). [3]

---

🏁 Script executed:

# Check for actual bincode dependency in Cargo.toml
rg -n 'bincode' Cargo.toml --context 3

Repository: ChainSafe/forest

Length of output: 42

---

🏁 Script executed:

# Check the Cargo.lock for bincode usage and versions
rg -n '\bbincode\b' Cargo.lock | head -20

Repository: ChainSafe/forest

Length of output: 147

---

🏁 Script executed:

# Look for comments or issues in the git history related to these advisories
git log --oneline --all --grep="RUSTSEC-2025-0141\|RUSTSEC-2026-0002" 2>/dev/null | head -10

Repository: ChainSafe/forest

Length of output: 42

---

🏁 Script executed:

# Check if there are any related issues or discussions in code comments
rg -n 'RUSTSEC-2025-0141|RUSTSEC-2026-0002' --type rust --type toml

Repository: ChainSafe/forest

Length of output: 186

---

🏁 Script executed:

# Check if lru is a dependency of libp2p-swarm
rg -n '\blru\b' Cargo.lock | head -15

Repository: ChainSafe/forest

Length of output: 131

---

🏁 Script executed:

# Get more details about what RUSTSEC-2026-0002 actually concerns
rg -n 'RUSTSEC-2026-0002' Cargo.lock

Repository: ChainSafe/forest

Length of output: 42

---

🏁 Script executed:

# Check the libp2p-swarm version and its direct dependencies
sed -n '/^name = "libp2p-swarm"$/,/^$/p' Cargo.lock | head -30

Repository: ChainSafe/forest

Length of output: 466

---

🏁 Script executed:

# Let me check if there's an official RUSTSEC-2025-0141 advisory
python3 <<'EOF'
import urllib.request
import json

# Try to access the RustSec advisory database directly
try:
    # Check if advisory exists via GitHub
    url = "https://github.com/rustsec/advisory-db/main/crates/bincode/RUSTSEC-2025-0141.toml"
    with urllib.request.urlopen(url, timeout=10) as response:
        print("RUSTSEC-2025-0141 found:")
        print(response.read().decode()[:500])
except Exception as e:
    print(f"RUSTSEC-2025-0141 not found in advisory-db: {e}")

# Check lru advisory
try:
    url = "https://github.com/rustsec/advisory-db/main/crates/lru/RUSTSEC-2026-0002.toml"
    with urllib.request.urlopen(url, timeout=10) as response:
        print("\nRUSTSEC-2026-0002 found:")
        print(response.read().decode()[:500])
except Exception as e:
    print(f"\nRUSTSEC-2026-0002 access failed: {e}")
EOF

Repository: ChainSafe/forest

Length of output: 393

---

🏁 Script executed:

# Check what versions of lru are being used
sed -n '/^name = "lru"$/,/^$/p' Cargo.lock | head -20

Repository: ChainSafe/forest

Length of output: 275

---

🏁 Script executed:

# Verify bincode is actually required (not just a transitive dependency)
rg -n '^bincode' Cargo.toml

Repository: ChainSafe/forest

Length of output: 42

---

🏁 Script executed:

# Let me check git log for when these advisories were added
git log --oneline --all -- deny.toml | head -10

Repository: ChainSafe/forest

Length of output: 540

---

🏁 Script executed:

# Check if there's a related PR or commit message
git log -p --all -- deny.toml 2>/dev/null | grep -A5 -B5 "RUSTSEC-2025-0141\|RUSTSEC-2026-0002" | head -30

Repository: ChainSafe/forest

Length of output: 42

---

🏁 Script executed:

# Verify whether bincode is a direct or transitive dependency
rg -n 'bincode.*=' Cargo.toml

Repository: ChainSafe/forest

Length of output: 42

---

Clarify and justify the advisory suppressions.

The comment on line 9 is misleading. RUSTSEC-2026-0002 is an advisory for the lru crate (an IterMut soundness issue), not libp2p-swarm itself—though lru is indeed a transitive dependency of libp2p-swarm (via libp2p-swarm → lru).

Both suppressions (lines 8-9) lack the detailed justification present in the existing entries (lines 6-7), which reference specific FVM2 compatibility constraints. For these new entries:

• Line 8 (bincode): Document why bincode cannot be replaced. Bincode is confirmed unmaintained; clarify if this is a direct dependency or transitive via FVM, and whether migration is feasible.
• Line 9 (lru via libp2p-swarm): Clarify the lru advisory details and mitigation strategy. Update the comment to explicitly state it's suppressing the lru vulnerability, not a libp2p-swarm advisory.

Add justification similar to lines 6-7, including references to any related GitHub issues or compatibility constraints that prevent immediate fixes.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.48%. Comparing base (ccd220c) to head (43ff6dd).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

see 4 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ccd220c...43ff6dd. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.