alamb opened a new issue, #23133: URL: https://github.com/apache/datafusion/issues/23133
## Describe the bug The **Security audit** CI job (`cargo audit`, `.github/workflows/audit.yml`) is failing on `main` and on PRs that touch `Cargo.toml`/`Cargo.lock` because of a newly published advisory in `quinn-proto`: ``` error: 1 vulnerability found! Crate: quinn-proto Version: 0.11.14 Title: Remote memory exhaustion in quinn-proto from unbounded out-of-order stream reassembly Date: 2026-06-22 ID: RUSTSEC-2026-0185 URL: https://rustsec.org/advisories/RUSTSEC-2026-0185 Severity: 7.5 (high) Solution: Upgrade to >=0.11.15 ``` `quinn-proto` is pulled in transitively (`reqwest` -> `quinn` -> `quinn-proto`). Our `Cargo.lock` currently pins `quinn-proto 0.11.14`, and the advisory requires `>= 0.11.15`. Example failing CI run: https://github.com/apache/datafusion/actions/runs/28046956490/job/83027396736?pr=23052 ## To Reproduce Run the security audit locally: ```bash cargo audit ``` ## Expected behavior The `cargo audit` CI job passes (no vulnerabilities found). ## Additional context The fix is to bump the locked `quinn-proto` to `>= 0.11.15`, e.g. `cargo update -p quinn`. This is the same fix arrow-rs applied: https://github.com/apache/arrow-rs/pull/10201 There is already an open PR doing this: #23122. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
