This is an automated email from the ASF dual-hosted git repository.
liurenjie1024 pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/iceberg-rust.git
The following commit(s) were added to refs/heads/main by this push:
new 434ab9603 fix: Address RUSTSEC-2026-0001 (#1994)
434ab9603 is described below
commit 434ab9603e7cd9969b45fd54f1d6a3c40951145f
Author: Renjie Liu <[email protected]>
AuthorDate: Wed Jan 7 08:35:33 2026 +0800
fix: Address RUSTSEC-2026-0001 (#1994)
## Which issue does this PR close?
- Closes #1992
- Closes #1993
## What changes are included in this PR?
Update dependency to upgrade rkyv, but we still have to ignore it and
wait for rust_decimal to resolve it.
## Are these changes tested?
CI.
---
.cargo/audit.toml | 3 ++
Cargo.lock | 26 ++++-----
Cargo.toml | 4 +-
bindings/python/Cargo.lock | 131 +++++++++++++++++++++++++++++++++++++++++----
bindings/python/Cargo.toml | 6 +++
5 files changed, 146 insertions(+), 24 deletions(-)
diff --git a/.cargo/audit.toml b/.cargo/audit.toml
index 09e2d35c5..d403f0ac5 100644
--- a/.cargo/audit.toml
+++ b/.cargo/audit.toml
@@ -33,4 +33,7 @@ ignore = [
#
# Introduced by object_store, see
https://github.com/apache/arrow-rs-object-store/issues/564
"RUSTSEC-2025-0134",
+
+ # Tracked here: https://github.com/paupino/rust-decimal/issues/766
+ "RUSTSEC-2026-0001",
]
diff --git a/Cargo.lock b/Cargo.lock
index 97ee25d65..73494910b 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2715,7 +2715,7 @@ source =
"registry+https://github.com/rust-lang/crates.io-index";
checksum = "baec6a0289d7f1fe5665586ef7340af82e3037207bef60f5785e57569776f0c8"
dependencies = [
"bytes",
- "rkyv 0.8.12",
+ "rkyv 0.8.13",
"serde",
"simdutf8",
]
@@ -5525,9 +5525,9 @@ dependencies = [
[[package]]
name = "rkyv"
-version = "0.7.45"
+version = "0.7.46"
source = "registry+https://github.com/rust-lang/crates.io-index";
-checksum = "9008cd6385b9e161d8229e1f6549dd23c3d022f132a2ea37ac3a10ac4935779b"
+checksum = "2297bf9c81a3f0dc96bc9521370b88f054168c29826a75e89c55ff196e7ed6a1"
dependencies = [
"bitvec",
"bytecheck",
@@ -5535,7 +5535,7 @@ dependencies = [
"hashbrown 0.12.3",
"ptr_meta 0.1.4",
"rend 0.4.2",
- "rkyv_derive 0.7.45",
+ "rkyv_derive 0.7.46",
"seahash",
"tinyvec",
"uuid",
@@ -5543,27 +5543,27 @@ dependencies = [
[[package]]
name = "rkyv"
-version = "0.8.12"
+version = "0.8.13"
source = "registry+https://github.com/rust-lang/crates.io-index";
-checksum = "35a640b26f007713818e9a9b65d34da1cf58538207b052916a83d80e43f3ffa4"
+checksum = "8b2e88acca7157d83d789836a3987dafc12bc3d88a050e54b8fe9ea4aaa29d20"
dependencies = [
"bytes",
- "hashbrown 0.15.5",
+ "hashbrown 0.16.1",
"indexmap 2.12.1",
"munge",
"ptr_meta 0.3.1",
"rancor",
"rend 0.5.3",
- "rkyv_derive 0.8.12",
+ "rkyv_derive 0.8.13",
"tinyvec",
"uuid",
]
[[package]]
name = "rkyv_derive"
-version = "0.7.45"
+version = "0.7.46"
source = "registry+https://github.com/rust-lang/crates.io-index";
-checksum = "503d1d27590a2b0a3a4ca4c94755aa2875657196ecbf401a42eff41d7de532c0"
+checksum = "84d7b42d4b8d06048d3ac8db0eb31bcb942cbeb709f0b5f2b2ebde398d3038f5"
dependencies = [
"proc-macro2",
"quote",
@@ -5572,9 +5572,9 @@ dependencies = [
[[package]]
name = "rkyv_derive"
-version = "0.8.12"
+version = "0.8.13"
source = "registry+https://github.com/rust-lang/crates.io-index";
-checksum = "bd83f5f173ff41e00337d97f6572e416d022ef8a19f371817259ae960324c482"
+checksum = "7f6dffea3c91fa91a3c0fc8a061b0e27fef25c6304728038a6d6bcb1c58ba9bd"
dependencies = [
"proc-macro2",
"quote",
@@ -5663,7 +5663,7 @@ dependencies = [
"num-traits",
"postgres-types",
"rand 0.8.5",
- "rkyv 0.7.45",
+ "rkyv 0.7.46",
"serde",
"serde_json",
]
diff --git a/Cargo.toml b/Cargo.toml
index d099398db..56cd1801c 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -109,7 +109,7 @@ rand = "0.8.5"
regex = "1.11.3"
reqwest = { version = "0.12.12", default-features = false, features = ["json"]
}
roaring = { version = "0.11" }
-rust_decimal = "1.37.2"
+rust_decimal = { version = "1.39", default-features = false, features =
["std"] }
serde = { version = "1.0.219", features = ["rc"] }
serde_bytes = "0.11.17"
serde_derive = "1.0.219"
@@ -131,4 +131,4 @@ url = "2.5.7"
uuid = { version = "1.18", features = ["v7"] }
volo = "0.10.6"
volo-thrift = "0.10.8"
-zstd = "0.13.3"
+zstd = "0.13.3"
\ No newline at end of file
diff --git a/bindings/python/Cargo.lock b/bindings/python/Cargo.lock
index 4647f9d88..d33abed58 100644
--- a/bindings/python/Cargo.lock
+++ b/bindings/python/Cargo.lock
@@ -668,8 +668,20 @@ version = "0.6.12"
source = "registry+https://github.com/rust-lang/crates.io-index";
checksum = "23cdc57ce23ac53c931e88a43d06d070a6fd142f2617be5855eb75efc9beb1c2"
dependencies = [
- "bytecheck_derive",
- "ptr_meta",
+ "bytecheck_derive 0.6.12",
+ "ptr_meta 0.1.4",
+ "simdutf8",
+]
+
+[[package]]
+name = "bytecheck"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index";
+checksum = "0caa33a2c0edca0419d15ac723dff03f1956f7978329b1e3b5fdaaaed9d3ca8b"
+dependencies = [
+ "bytecheck_derive 0.8.2",
+ "ptr_meta 0.3.1",
+ "rancor",
"simdutf8",
]
@@ -684,6 +696,17 @@ dependencies = [
"syn 1.0.109",
]
+[[package]]
+name = "bytecheck_derive"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index";
+checksum = "89385e82b5d1821d2219e0b095efa2cc1f246cbf99080f3be46a1a85c0d392d9"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.108",
+]
+
[[package]]
name = "bytemuck"
version = "1.24.0"
@@ -2350,6 +2373,7 @@ dependencies = [
"rand 0.8.5",
"reqsign",
"reqwest",
+ "rkyv 0.8.13",
"roaring",
"rust_decimal",
"serde",
@@ -2841,6 +2865,26 @@ dependencies = [
"uuid",
]
+[[package]]
+name = "munge"
+version = "0.4.7"
+source = "registry+https://github.com/rust-lang/crates.io-index";
+checksum = "5e17401f259eba956ca16491461b6e8f72913a0a114e39736ce404410f915a0c"
+dependencies = [
+ "munge_macro",
+]
+
+[[package]]
+name = "munge_macro"
+version = "0.4.7"
+source = "registry+https://github.com/rust-lang/crates.io-index";
+checksum = "4568f25ccbd45ab5d5603dc34318c1ec56b117531781260002151b8530a9f931"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.108",
+]
+
[[package]]
name = "murmur3"
version = "0.5.2"
@@ -3220,7 +3264,16 @@ version = "0.1.4"
source = "registry+https://github.com/rust-lang/crates.io-index";
checksum = "0738ccf7ea06b608c10564b31debd4f5bc5e197fc8bfe088f68ae5ce81e7a4f1"
dependencies = [
- "ptr_meta_derive",
+ "ptr_meta_derive 0.1.4",
+]
+
+[[package]]
+name = "ptr_meta"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index";
+checksum = "0b9a0cf95a1196af61d4f1cbdab967179516d9a4a4312af1f31948f8f6224a79"
+dependencies = [
+ "ptr_meta_derive 0.3.1",
]
[[package]]
@@ -3234,6 +3287,17 @@ dependencies = [
"syn 1.0.109",
]
+[[package]]
+name = "ptr_meta_derive"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index";
+checksum = "7347867d0a7e1208d93b46767be83e2b8f978c3dad35f775ac8d8847551d6fe1"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.108",
+]
+
[[package]]
name = "pyiceberg_core_rust"
version = "0.8.0"
@@ -3243,6 +3307,7 @@ dependencies = [
"iceberg",
"iceberg-datafusion",
"pyo3",
+ "rust_decimal",
"tokio",
]
@@ -3409,6 +3474,15 @@ version = "0.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index";
checksum = "dc33ff2d4973d518d823d61aa239014831e521c75da58e3df4840d3f47749d09"
+[[package]]
+name = "rancor"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index";
+checksum = "a063ea72381527c2a0561da9c80000ef822bdd7c3241b1cc1b12100e3df081ee"
+dependencies = [
+ "ptr_meta 0.3.1",
+]
+
[[package]]
name = "rand"
version = "0.8.5"
@@ -3564,7 +3638,16 @@ version = "0.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index";
checksum = "71fe3824f5629716b1589be05dacd749f6aa084c87e00e016714a8cdfccc997c"
dependencies = [
- "bytecheck",
+ "bytecheck 0.6.12",
+]
+
+[[package]]
+name = "rend"
+version = "0.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index";
+checksum = "cadadef317c2f20755a64d7fdc48f9e7178ee6b0e1f7fce33fa60f1d68a276e6"
+dependencies = [
+ "bytecheck 0.8.2",
]
[[package]]
@@ -3667,17 +3750,36 @@ source =
"registry+https://github.com/rust-lang/crates.io-index";
checksum = "9008cd6385b9e161d8229e1f6549dd23c3d022f132a2ea37ac3a10ac4935779b"
dependencies = [
"bitvec",
- "bytecheck",
+ "bytecheck 0.6.12",
"bytes",
"hashbrown 0.12.3",
- "ptr_meta",
- "rend",
- "rkyv_derive",
+ "ptr_meta 0.1.4",
+ "rend 0.4.2",
+ "rkyv_derive 0.7.45",
"seahash",
"tinyvec",
"uuid",
]
+[[package]]
+name = "rkyv"
+version = "0.8.13"
+source = "registry+https://github.com/rust-lang/crates.io-index";
+checksum = "8b2e88acca7157d83d789836a3987dafc12bc3d88a050e54b8fe9ea4aaa29d20"
+dependencies = [
+ "bytecheck 0.8.2",
+ "bytes",
+ "hashbrown 0.16.0",
+ "indexmap 2.12.0",
+ "munge",
+ "ptr_meta 0.3.1",
+ "rancor",
+ "rend 0.5.3",
+ "rkyv_derive 0.8.13",
+ "tinyvec",
+ "uuid",
+]
+
[[package]]
name = "rkyv_derive"
version = "0.7.45"
@@ -3689,6 +3791,17 @@ dependencies = [
"syn 1.0.109",
]
+[[package]]
+name = "rkyv_derive"
+version = "0.8.13"
+source = "registry+https://github.com/rust-lang/crates.io-index";
+checksum = "7f6dffea3c91fa91a3c0fc8a061b0e27fef25c6304728038a6d6bcb1c58ba9bd"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.108",
+]
+
[[package]]
name = "roaring"
version = "0.11.2"
@@ -3749,7 +3862,7 @@ dependencies = [
"bytes",
"num-traits",
"rand 0.8.5",
- "rkyv",
+ "rkyv 0.7.45",
"serde",
"serde_json",
]
diff --git a/bindings/python/Cargo.toml b/bindings/python/Cargo.toml
index 9ec58cf80..8346d0270 100644
--- a/bindings/python/Cargo.toml
+++ b/bindings/python/Cargo.toml
@@ -37,6 +37,8 @@ pyo3 = { version = "0.26", features = ["extension-module",
"abi3-py310"] }
iceberg-datafusion = { path = "../../crates/integrations/datafusion" }
datafusion-ffi = { version = "51.0" }
tokio = { version = "1.46.1", default-features = false }
+# Security: disable rkyv feature to avoid RUSTSEC-2026-0001 (rkyv 0.7.45
vulnerability)
+rust_decimal = { version = "1.39", default-features = false, features =
["std"] }
[profile.release]
codegen-units = 1
@@ -44,3 +46,7 @@ debug = false
lto = "thin"
opt-level = "z"
strip = true
+
+[package.metadata.cargo-machete]
+# rust_decimal is included to override feature flags for security (disable
rkyv)
+ignored = ["rust_decimal"]
