From 78f91c6f4d46fad25e4d2e39b88694e4587ee37b Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 10 Mar 2026 12:29:30 +0000
Subject: [PATCH 1/2] Initial plan


From 5b983d641154f76e84b48486b7010304ed6a1ddb Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 10 Mar 2026 12:35:41 +0000
Subject: [PATCH 2/2] Security: fix RUSTSEC-2026-0037 (quinn-proto), document
 RUSTSEC-2023-0071 (rsa)

Co-authored-by: bashandbone <89049923+bashandbone@users.noreply.github.com>
---
 Cargo.lock | 4 ++--
 deny.toml  | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index f6e55c6..a3a3907 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2759,9 +2759,9 @@ dependencies = [
 
 [[package]]
 name = "quinn-proto"
-version = "0.11.13"
+version = "0.11.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1906b49b0c3bc04b5fe5d86a77925ae6524a19b816ae38ce1e426255f1d8a31"
+checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098"
 dependencies = [
  "bytes",
  "getrandom 0.3.4",
diff --git a/deny.toml b/deny.toml
index 5e21c2f..45b267a 100644
--- a/deny.toml
+++ b/deny.toml
@@ -84,6 +84,7 @@ feature-depth = 1
 # output a note when they are encountered.
 ignore = [
   { id = "RUSTSEC-2024-0436", reason = "Paste is used as a dependency for macros, and is not used at runtime" },
+  { id = "RUSTSEC-2023-0071", reason = "No patch is available. The rsa crate is a transitive dependency via recoco-core -> sqlx -> sqlx-mysql. Thread does not use MySQL or perform RSA operations in network-observable contexts; the Marvin Attack timing sidechannel applies only when an attacker can observe network timing against an RSA private key operation. Track https://github.com/RustCrypto/RSA/issues/19 for upstream resolution." },
   # "RUSTSEC-0000-0000",
   # { id = "RUSTSEC-0000-0000", reason = "you can specify a reason the advisory is ignored" },
   # "a-crate-that-is-yanked@0.1.1", # you can also ignore yanked crate versions if you wish