fix(deps, security): temporarily ignore ed25519-dalek security vulnerability (vectordotdev#18245)

pront · web-flow · commit 1b90398cbd04 · 2023-08-14T21:54:44.000Z
* fix: use a `ed25519-dalek` version which doesn't contain a vulnerability

* add 'dalek' to dict

* add comment

* as discussed, we will temporarily allow this vulnerability to exist
diff --git a/.github/actions/spelling/allow.txt b/.github/actions/spelling/allow.txt
@@ -248,6 +248,7 @@ corejs
 coreutils
 curta
 daemonset
+dalek
 databend
 datacenter
 datadog
diff --git a/deny.toml b/deny.toml
@@ -38,4 +38,8 @@ license-files = [
 
 [advisories]
 ignore = [
+    # `ed25519-dalek` is vulnerable due to "Double Public Key Signing Function Oracle Attack".
+    # Temporarily ignoring this vulnerability until the following issue is resolved:
+    # https://github.com/wasmCloud/nkeys/issues/20
+    "RUSTSEC-2022-0093"
 ]

Original file line number	Diff line number	Diff line change
`@@ -38,4 +38,8 @@ license-files = [`
`38`	`38`
`39`	`39`	`[advisories]`
`40`	`40`	`ignore = [`
	`41`	+ # `ed25519-dalek` is vulnerable due to "Double Public Key Signing Function Oracle Attack".
	`42`	`+ # Temporarily ignoring this vulnerability until the following issue is resolved:`
	`43`	`+ # https://github.com/wasmCloud/nkeys/issues/20`
	`44`	`+ "RUSTSEC-2022-0093"`
`41`	`45`	`]`