chore(audit): ignore RUSTSEC-2025-0023

mxinden · mxinden · commit 6fc708c9f5af · 2025-04-07T12:22:22.000+02:00
RUSTSEC-2025-0023 discloses a vulnerability in Tokio: "Broadcast channel calls clone in parallel, but does not require `Sync`". https://rustsec.org/advisories/RUSTSEC-2025-0023 Tokio is only used in neqo-bin. neqo-bin does not make use of Tokio's broadcast channels. neqo-bin is not used by Firefox. All Tokio versions with a fix for RUSTSEC-2025-0023 require a libc version bump, i.e. require us to use a libc version other than what mozilla-central uses. Thus, instead of updating Tokio, this commit simply ignores the CVE.
diff --git a/audit.toml b/audit.toml
@@ -0,0 +1,2 @@
+[advisories]
+ignore = [RUSTSEC-2025-0023]

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+[advisories]`
	`2`	`+ignore = [RUSTSEC-2025-0023]`