From 190b4115717535231607f522854495fc595a618f Mon Sep 17 00:00:00 2001 From: Andrew Lamb Date: Mon, 5 Jan 2026 16:06:01 -0500 Subject: [PATCH 1/4] Downgrade aws-smithy-runtime to avoid rustsec --- Cargo.lock | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 8dcfbc65c21b0..99c652c7ebcb2 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -866,9 +866,9 @@ dependencies = [ [[package]] name = "aws-smithy-runtime" -version = "1.9.6" +version = "1.9.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "65fda37911905ea4d3141a01364bc5509a0f32ae3f3b22d6e330c0abfb62d247" +checksum = "a392db6c583ea4a912538afb86b7be7c5d8887d91604f50eb55c262ee1b4a5f5" dependencies = [ "aws-smithy-async", "aws-smithy-http", @@ -2823,7 +2823,7 @@ dependencies = [ "libc", "option-ext", "redox_users", - "windows-sys 0.61.0", + "windows-sys 0.60.2", ] [[package]] @@ -2967,7 +2967,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb" dependencies = [ "libc", - "windows-sys 0.61.0", + "windows-sys 0.60.2", ] [[package]] @@ -5391,7 +5391,7 @@ dependencies = [ "errno", "libc", "linux-raw-sys", - "windows-sys 0.61.0", + "windows-sys 0.60.2", ] [[package]] @@ -6121,7 +6121,7 @@ dependencies = [ "getrandom 0.3.4", "once_cell", "rustix", - "windows-sys 0.61.0", + "windows-sys 0.60.2", ] [[package]] @@ -7008,7 +7008,7 @@ version = "0.1.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22" dependencies = [ - "windows-sys 0.61.0", + "windows-sys 0.60.2", ] [[package]] From 305b4f9de6536f3ba38b11d7b219ce303a0ff4cc Mon Sep 17 00:00:00 2001 From: Jefffrey Date: Tue, 6 Jan 2026 11:56:16 +0900 Subject: [PATCH 2/4] bump rkyv to 0.7.46 --- Cargo.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 99c652c7ebcb2..db70b7d89265f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5282,9 +5282,9 @@ dependencies = [ [[package]] name = "rkyv" -version = "0.7.45" +version = "0.7.46" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9008cd6385b9e161d8229e1f6549dd23c3d022f132a2ea37ac3a10ac4935779b" +checksum = "2297bf9c81a3f0dc96bc9521370b88f054168c29826a75e89c55ff196e7ed6a1" dependencies = [ "bitvec", "bytecheck", @@ -5300,9 +5300,9 @@ dependencies = [ [[package]] name = "rkyv_derive" -version = "0.7.45" +version = "0.7.46" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "503d1d27590a2b0a3a4ca4c94755aa2875657196ecbf401a42eff41d7de532c0" +checksum = "84d7b42d4b8d06048d3ac8db0eb31bcb942cbeb709f0b5f2b2ebde398d3038f5" dependencies = [ "proc-macro2", "quote", From 0fef41edea64a4639cc00a2abe9ee877f64d590a Mon Sep 17 00:00:00 2001 From: Andrew Lamb Date: Tue, 6 Jan 2026 07:04:18 -0500 Subject: [PATCH 3/4] Update rust_decimal --- Cargo.lock | 14 +++++++------- datafusion/sqllogictest/Cargo.toml | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 99c652c7ebcb2..870b540cc4512 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2823,7 +2823,7 @@ dependencies = [ "libc", "option-ext", "redox_users", - "windows-sys 0.60.2", + "windows-sys 0.61.0", ] [[package]] @@ -2967,7 +2967,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb" dependencies = [ "libc", - "windows-sys 0.60.2", + "windows-sys 0.61.0", ] [[package]] @@ -5351,9 +5351,9 @@ dependencies = [ [[package]] name = "rust_decimal" -version = "1.38.0" +version = "1.39.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c8975fc98059f365204d635119cf9c5a60ae67b841ed49b5422a9a7e56cdfac0" +checksum = "35affe401787a9bd846712274d97654355d21b2a2c092a3139aabe31e9022282" dependencies = [ "arrayvec", "borsh", @@ -5391,7 +5391,7 @@ dependencies = [ "errno", "libc", "linux-raw-sys", - "windows-sys 0.60.2", + "windows-sys 0.61.0", ] [[package]] @@ -6121,7 +6121,7 @@ dependencies = [ "getrandom 0.3.4", "once_cell", "rustix", - "windows-sys 0.60.2", + "windows-sys 0.61.0", ] [[package]] @@ -7008,7 +7008,7 @@ version = "0.1.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22" dependencies = [ - "windows-sys 0.60.2", + "windows-sys 0.61.0", ] [[package]] diff --git a/datafusion/sqllogictest/Cargo.toml b/datafusion/sqllogictest/Cargo.toml index a26a1d44225fe..b47d9f2c3dc78 100644 --- a/datafusion/sqllogictest/Cargo.toml +++ b/datafusion/sqllogictest/Cargo.toml @@ -57,7 +57,7 @@ log = { workspace = true } object_store = { workspace = true } postgres-protocol = { version = "0.6.7", optional = true } postgres-types = { version = "0.2.11", features = ["derive", "with-chrono-0_4"], optional = true } -rust_decimal = { version = "1.38.0", features = ["tokio-pg"] } +rust_decimal = { version = "1.39.0", features = ["tokio-pg"] } # When updating the following dependency verify that sqlite test file regeneration works correctly # by running the regenerate_sqlite_files.sh script. sqllogictest = "0.28.4" From 42f0ab454934edc592122162fac691e424a1bccc Mon Sep 17 00:00:00 2001 From: Andrew Lamb Date: Tue, 6 Jan 2026 07:21:21 -0500 Subject: [PATCH 4/4] Temporarily ignore RUSTSEC-2026-0001 to get clean CI --- .github/workflows/audit.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 066151babc91b..e015acdb0dad6 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -46,4 +46,7 @@ jobs: with: tool: cargo-audit - name: Run audit check - run: cargo audit + # RUSTSEC-2026-0001: https://rustsec.org/advisories/RUSTSEC-2026-0001.html + # underlying rkyv is patched, but rustsec database not yet updated + # Can remove when this is merged: https://github.com/rustsec/advisory-db/pull/2565 + run: cargo audit --ignore RUSTSEC-2026-0001