chore: ignore RUSTSEC-2025-0140 gix-date vulnerability

cosmir17 · cosmir17 · commit ff4dfd6436d3 · 2026-01-05T17:25:42.000Z
The gix-date 0.11.0 vulnerability (TimeBuf::as_str can create non-UTF8
strings) is introduced via tame-index 0.25.0 which pins gix 0.75.0.

Cannot update gix directly as it would conflict with tame-index's
gix dependency. Ignoring until tame-index releases an update with
gix 0.77+.
diff --git a/deny.toml b/deny.toml
@@ -13,6 +13,9 @@ all-features = true
 [advisories]
 unmaintained = "workspace"
 ignore = [
+    # gix-date 0.11.0 vulnerability via tame-index 0.25.0 -> gix 0.75.0
+    # Waiting for tame-index to update to gix 0.77+
+    { id = "RUSTSEC-2025-0140", reason = "tame-index 0.25.0 pins gix 0.75.0; no updated version available yet" },
 ]
 
 [bans]
diff --git a/src/cargo-deny/check.rs b/src/cargo-deny/check.rs
@@ -548,9 +548,7 @@ fn print_diagnostics(
     use cargo_deny::diag::Check;
 
     if log_ctx.format == crate::Format::Sarif {
-        let workspace_root = krates
-            .map(|k| k.workspace_root().as_str())
-            .unwrap_or("");
+        let workspace_root = krates.map_or("", |k| k.workspace_root().as_str());
         let mut sc = cargo_deny::sarif::SarifCollector::new(workspace_root);
 
         for pack in rx {

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,9 @@ all-features = true`
`13`	`13`	`[advisories]`
`14`	`14`	`unmaintained = "workspace"`
`15`	`15`	`ignore = [`
	`16`	`+ # gix-date 0.11.0 vulnerability via tame-index 0.25.0 -> gix 0.75.0`
	`17`	`+ # Waiting for tame-index to update to gix 0.77+`
	`18`	`+ { id = "RUSTSEC-2025-0140", reason = "tame-index 0.25.0 pins gix 0.75.0; no updated version available yet" },`
`16`	`19`	`]`
`17`	`20`
`18`	`21`	`[bans]`