This repository documents how we handle security advisories and tracked exceptions for third-party crates.

• Advisory ID: RUSTSEC-2024-0436
• Crate: paste (proc-macro)
• Why it appears: paste is a transitive dependency pulled in by ratatui (a terminal UI crate used by rfgrep for TUI features).

Why we have an exception

• paste is not a direct dependency of rfgrep.
• We currently use ratatui for optional TUI features; paste is pulled in as a proc-macro build-time dependency by that crate.
• We assessed the risk as acceptable for the following reasons:
  • paste is used at build time as a proc-macro to produce code for ratatui and does not run in production runtimes (no network or persistence access in our shipped binary beyond normal codegen).
  • The crate is transitive and we do not directly invoke paste in our code.
  • We have pinned ratatui in Cargo.lock and monitor upstream changes.

Where it's recorded

• We have an allow rule in .cargo/config.toml to ignore the advisory during automated checks:

  [advisories] ignore = ["RUSTSEC-2024-0436", "RUSTSEC-2024-0375", "RUSTSEC-2021-0145"]

• The advisory was also noted in our CHANGELOG.md

What we did now

• Documented the advisory and rationale here.
• Preserved the .cargo/config.toml allow rule (existing in repo) so automated tooling does not fail CI for this advisory.

How to review further

• Run cargo audit in your environment to see the advisory and verify the allow rule behaves as expected.
• To remove the exception proactively, try updating ratatui in Cargo.toml to a newer minor/.x release and run cargo update -p ratatui and cargo tree -i paste to verify the transitive dependency was removed.