chore(deps): ignore RUSTSEC-2026-0066 astral-tokio-tar advisory

[jdx]

Summary

• Ignores RUSTSEC-2026-0066 (insufficient PAX extension validation in astral-tokio-tar 0.5.6) in deny.toml
• This is a transitive dependency via rattler_package_streaming 0.24 which pins to astral-tokio-tar 0.5.x — upgrading to the fixed >=0.6.0 requires an upstream release
• Unblocks the cargo deny check lint CI step

Test plan

• CI lint job should pass with this advisory ignored

🤖 Generated with Claude Code

---

Note

Low Risk
Low risk configuration-only change, but it suppresses reporting for a known vulnerability in a transitive dependency until upstream can upgrade.

Overview
Updates deny.toml to ignore RUSTSEC-2026-0066, documenting that the affected astral-tokio-tar 0.5.6 issue is a transitive dependency (via rattler_package_streaming) with no safe upgrade currently available. This unblocks cargo deny check in CI by preventing the advisory from failing the lint step.

^{Written by Cursor Bugbot for commit fdce008. This will update automatically on new commits. Configure here.}

[greptile-apps]

Greptile Summary

This PR adds a single entry to the deny.toml advisory ignore list to suppress RUSTSEC-2026-0066 (insufficient PAX extension validation in astral-tokio-tar 0.5.6), unblocking the cargo deny check CI step.

• The advisory affects astral-tokio-tar 0.5.6, which is a transitive dependency pulled in by rattler_package_streaming 0.24 — the fix requires upgrading to astral-tokio-tar >=0.6.0, which depends on an upstream release outside the project's control.
• The new entry is consistent with all other ignore entries in the file (uses the { id = "...", reason = "..." } format) and includes a descriptive reason explaining why the upgrade is not yet feasible.
• No code logic is affected; this is purely a CI/tooling configuration change.

Confidence Score: 5/5

• Safe to merge — a one-line CI configuration change with no runtime impact.
• The change is a minimal, well-justified addition to the advisory ignore list that follows existing conventions. The reason is clearly documented, the upstream blocker is accurately described, and there are no logic, security, or compatibility concerns introduced by this change itself.
• No files require special attention.

Important Files Changed

Filename	Overview
deny.toml	Adds RUSTSEC-2026-0066 to the advisory ignore list with a clear reason; follows existing patterns in the file and is correctly formatted.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[mise project] -->|depends on| B[rattler_package_streaming 0.24]
    B -->|pins to| C[astral-tokio-tar 0.5.6]
    C -->|affected by| D[RUSTSEC-2026-0066\nInsufficient PAX extension validation]
    D -->|fix requires| E[astral-tokio-tar >=0.6.0]
    E -->|blocked on| F[Upstream release\nrattler_package_streaming]
    F -->|workaround| G[Ignore advisory in deny.toml\nuntil upstream releases fix]

Loading

_{Reviews (1): Last reviewed commit: "chore(deps): ignore RUSTSEC-2026-0066 as..." | Re-trigger Greptile}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request temporarily resolves a failing CI lint job by adding an exception to the deny.toml file for a specific Rust security advisory. This is a short-term fix, as a proper upgrade to the vulnerable dependency is pending an upstream release.

Highlights

• Dependency Management: This PR addresses a cargo deny check lint failure by ignoring the RUSTSEC-2026-0066 advisory.
• Transitive Dependency: The ignored advisory relates to astral-tokio-tar 0.5.6, a transitive dependency of rattler_package_streaming 0.24.
• Temporary Solution: Upgrading astral-tokio-tar to a fixed version (>=0.6.0) is blocked by the need for an upstream release of rattler_package_streaming.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request ignores the RUSTSEC-2026-0066 advisory in deny.toml to unblock CI, as it's a transitive dependency with no available safe upgrade. The change is reasonable, but I've suggested an improvement to the reason string to include a TODO to ensure this temporary ignore is revisited in the future, which improves long-term maintainability.

[gemini-code-assist]

While the reason for ignoring this advisory is clear, it's a good practice to make these temporary ignores easy to track and remove in the future. Consider adding a TODO comment or a link to a tracking issue. This ensures that the ignored advisory is revisited when the upstream dependency is updated.

Suggested change

	{ id = "RUSTSEC-2026-0066", reason = "astral-tokio-tar 0.5.6 PAX extension validation - transitive dep via rattler_package_streaming, no safe upgrade available" },
	{ id = "RUSTSEC-2026-0066", reason = "astral-tokio-tar 0.5.6 PAX extension validation - transitive dep via rattler_package_streaming, no safe upgrade available. TODO: Re-evaluate when rattler dependencies are updated." },

[github-actions]

Hyperfine Performance

mise x -- echo

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.3.12 x -- echo	19.5 ± 0.9	17.5	27.1	1.01 ± 0.06
mise x -- echo	19.4 ± 0.8	17.2	21.7	1.00

mise env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.3.12 env	19.9 ± 1.0	17.5	24.6	1.00
mise env	19.9 ± 0.8	17.0	22.5	1.00 ± 0.06

mise hook-env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.3.12 hook-env	20.6 ± 0.9	18.1	23.2	1.00
mise hook-env	20.9 ± 0.6	19.4	26.9	1.02 ± 0.05

mise ls

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.3.12 ls	20.4 ± 1.0	18.2	29.6	1.00
mise ls	20.6 ± 0.6	18.9	22.2	1.01 ± 0.06

xtasks/test/perf

Command	mise-2026.3.12	mise	Variance
install (cached)	124ms	122ms	+1%
ls (cached)	74ms	73ms	+1%
bin-paths (cached)	76ms	76ms	+0%
task-ls (cached)	782ms	782ms	+0%