fix: ignore RUSTSEC-2025-0046

[hanabi1224]

Summary of changes

Ignore RUSTSEC-2025-0046 for now.

Impact
Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.

Patches
No patch is yet available, however work is underway to migrate to a fully constant-time implementation.

Workarounds
The only currently available workaround is to avoid using the rsa crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.

Changes introduced in this pull request:

Reference issue to close (if applicable)

Closes #6155

Other information and links

Change checklist

• I have performed a self-review of my own code,
• I have made corresponding changes to the documentation. All new code adheres to the team's documentation standards,
• I have added tests that prove my fix is effective or that my feature works (if possible),
• I have made sure the CHANGELOG is up-to-date. All user-facing changes should be reflected in this document.

Summary by CodeRabbit

• Chores
  • Updated security audit configuration to ignore a specific advisory, ensuring cleaner CI results.
  • No changes to application features, behavior, or performance.
  • Licensing and dependency ban configurations remain unchanged.
  • Build and release artifacts are unaffected.
  • No user-facing impact.

[coderabbitai]

Walkthrough

Added an advisory ignore entry to deny.toml for RUSTSEC-2023-0071, documenting RSA-related concerns and ongoing migration to a constant-time implementation. No code or API changes.

Changes

Cohort / File(s)	Summary of Changes
Dependency policy config deny.toml	Added ignore entry for advisory "RUSTSEC-2023-0071" with a note; configuration-only update.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

• elmattic
• sudo-shashank
• LesnyRumcajs

Pre-merge checks and finishing touches

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Title Check	⚠️ Warning	The pull request title indicates ignoring RUSTSEC-2025-0046, but the changeset actually adds an ignore entry for RUSTSEC-2023-0071 in deny.toml, so the title does not accurately reflect the main change.	Please update the pull request title to match the advisory ID added in deny.toml or adjust the configuration to ignore RUSTSEC-2025-0046 if that was intended.
Linked Issues Check	⚠️ Warning	The linked issue called for ignoring RUSTSEC-2025-0046 to clear the cargo deny advisory failure, but the pull request instead adds an ignore entry for RUSTSEC-2023-0071, leaving the original advisory unaddressed.	Please adjust the deny.toml entry to ignore RUSTSEC-2025-0046 as specified by linked issue #6155 so the CI advisory check passes.
Out of Scope Changes Check	⚠️ Warning	The pull request introduces an ignore entry for RUSTSEC-2023-0071 in deny.toml, which is unrelated to the linked issue’s objective of ignoring RUSTSEC-2025-0046, so this change falls outside the stated scope.	Please remove or correct the ignore entry to target RUSTSEC-2025-0046 as defined in the linked issue, or provide justification for including RUSTSEC-2023-0071 in this change.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch hm/ignore-rustsec-2025-0046

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

deny.toml (1)

9-10: Remove stale RSA advisory ignore and update PR description

• Drop "RUSTSEC-2023-0071" from deny.toml if the rsa crate isn’t invoked.
• Align PR title/description with the actual advisory being ignored.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5685be4 and 80998d3.

📒 Files selected for processing (1)

• deny.toml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: tests
• GitHub Check: tests-release
• GitHub Check: Build forest binaries on Linux AMD64
• GitHub Check: All lint checks
• GitHub Check: Build MacOS
• GitHub Check: cargo-publish-dry-run
• GitHub Check: Build Ubuntu