Skip to content

.sync: deny.toml Updates [Rebase & FF]#163

Merged
makubacki merged 2 commits into
OpenDevicePartnership:mainfrom
makubacki:deny_sync_updates
Jun 17, 2026
Merged

.sync: deny.toml Updates [Rebase & FF]#163
makubacki merged 2 commits into
OpenDevicePartnership:mainfrom
makubacki:deny_sync_updates

Conversation

@makubacki

Copy link
Copy Markdown
Collaborator

.sync/Files.yml: Drop deny.toml sync to patina-mtrr and patina-paging repos

By design, these repos have a very minimal set of dependencies that
are not shared with the main patina repo and other Patina crates.

This change removes deny.toml being synced to those repos since they
will likely have minimal deny.toml changes over time and can simply
be maintained independently and locally in those repos.


.sync: Add paste to ignore sec advisory list in deny.toml

The paste crate is marked as unmaintained in the RustSec advisory
database and pulled in transitively with arm-gic -> arm-sysregs:

   ├ paste v1.0.15
     └── arm-sysregs v0.2.9
         └── arm-gic v0.8.1
             ├── patina_dxe_core v22.0.1
             │   └── qemu_dxe_core v3.0.8
             └── patina_internal_cpu v22.0.1
                 ├── patina_debugger v22.0.1
                 │   ├── patina_dxe_core v22.0.1 (*)
                 │   └── qemu_dxe_core v3.0.8 (*)
                 └── patina_dxe_core v22.0.1 (*)

This applies to the patina and patina-dxe-core-qemu repos. For now,
an exception is added to the deny.toml file to ignore this advisory
since it is only a build-time dependency and unmaintained.

error[unmaintained]: paste - no longer maintained
   ┌─ patina-dxe-core-qemu/Cargo.lock:37:1
   │
37 │ paste 1.0.15 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unmaintained advisory detected
   │
   ├ ID: RUSTSEC-2024-0436
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0436
   ├ The creator of the crate `paste` has stated in the [`README.md`](https://github.com/dtolnay/paste/blob/master/README.md)
     that this project is not longer maintained as well as archived the repository

… repos

By design, these repos have a very minimal set of dependencies that
are not shared with the main Patina repo and other Patina crates.

This change removes deny.toml being synced to those repos since they
will likely have minimal deny.toml changes over time and can simply
be maintained independently and locally in those repos.

Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
The `paste` crate is marked as unmaintained in the RustSec advisory
database and pulled in transitively with `arm-gic` -> `arm-sysregs`:

```
   ├ paste v1.0.15
     └── arm-sysregs v0.2.9
         └── arm-gic v0.8.1
             ├── patina_dxe_core v22.0.1
             │   └── qemu_dxe_core v3.0.8
             └── patina_internal_cpu v22.0.1
                 ├── patina_debugger v22.0.1
                 │   ├── patina_dxe_core v22.0.1 (*)
                 │   └── qemu_dxe_core v3.0.8 (*)
                 └── patina_dxe_core v22.0.1 (*)
```

This applies to the patina and patina-dxe-core-qemu repos. For now,
an exception is added to the deny.toml file to ignore this advisory
since it is only a build-time dependency and unmaintained.

```
error[unmaintained]: paste - no longer maintained
   ┌─ patina-dxe-core-qemu/Cargo.lock:37:1
   │
37 │ paste 1.0.15 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unmaintained advisory detected
   │
   ├ ID: RUSTSEC-2024-0436
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0436
   ├ The creator of the crate `paste` has stated in the [`README.md`](https://github.com/dtolnay/paste/blob/master/README.md)
     that this project is not longer maintained as well as archived the repository
```

Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
@makubacki makubacki requested review from os-d and vineelko June 17, 2026 13:28
@makubacki makubacki self-assigned this Jun 17, 2026
@makubacki makubacki merged commit f132bc0 into OpenDevicePartnership:main Jun 17, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants