Skip to content

Remove transitive RSA vulnerability by disabling sqlx MySQL support #305

New issue
New issue
Closed
#324
Closed
Remove transitive RSA vulnerability by disabling sqlx MySQL support#305
#324
Labels
dependenciessecuritySecurity hardening
@bug-ops

Description

@bug-ops
bug-ops
opened on Feb 15, 2026

Context

Security audit (2026-02-15) identified RUSTSEC-2023-0071 (Marvin Attack, CVSS 5.9) in transitive dependency rsa 0.9.10, pulled via sqlx-mysql. The project uses SQLite only.

Severity

Medium — indirect dependency, no MySQL usage in codebase.

Fix

In root Cargo.toml, disable default features for sqlx and explicitly list only needed features:

sqlx = { version = "0.8", default-features = false, features = ["runtime-tokio-rustls", "sqlite", "macros", "migrate"] }

Then run cargo update && cargo deny check to verify the rsa crate is removed from the dependency tree.

Acceptance criteria

  • cargo audit reports zero vulnerabilities
  • cargo deny check passes without errors
  • All tests pass

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependenciessecuritySecurity hardening

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions