Skip to content

test: reproduce #6531 #2

test: reproduce #6531

test: reproduce #6531 #2

Workflow file for this run

name: "Dependency Review"
on: [pull_request]
permissions:
contents: read
# Ensures that we cancel running jobs for the same PR / same workflow.
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: "Checkout Repository"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: "Dependency Review"
uses: actions/dependency-review-action@f5b971718edcbb31275a1db40004592335c0e031 # v4.8.1
with:
# GHSA-c38w-74pg-36hr, GHSA-4grx-2x9w-596c: minor vuln on the rsa crate, used for google storage.
# GHSA-cq8v-f236-94qc: rand 0.8.6 unsound with custom logger + rand::rng(), not affected (log feature disabled, transitive dep from fail/sqlx).
# GHSA-2f9f-gq7v-9h6m: thrift 0.17 excessive-allocation on untrusted input. Already a transitive
# dep via parquet on main; PR-4 (streaming Parquet reader) adds it as a direct dep for
# `parquet::format::PageHeader::read_from_in_protocol`. Inputs are parquet files we wrote to
# our own object store (trusted source). Defense-in-depth: the streaming reader caps each
# Thrift parse buffer at `max_page_header_bytes` (1 MiB default) BEFORE handing bytes to
# thrift, so the outer buffer thrift can read from is bounded regardless of any inner
# length prefix. No newer thrift release fixes this — 0.17.0 is the latest on crates.io.
allow-ghsas: GHSA-c38w-74pg-36hr,GHSA-4grx-2x9w-596c,GHSA-cq8v-f236-94qc,GHSA-2f9f-gq7v-9h6m