chore(deps): unblock cargo-deny advisories check

[jdx]

Summary

• Drop stale ignore for RUSTSEC-2026-0066 (astral-tokio-tar) — the crate is no longer in the dep tree, so cargo-deny was failing with advisory-not-detected and blocking every PR's lint job (e.g. registry: add sheldon #9104).
• Bump rustls-webpki 0.103.11 → 0.103.12 via cargo update to pick up the fix for RUSTSEC-2026-0098 / RUSTSEC-2026-0099 on the modern rustls 0.23 line.
• Ignore RUSTSEC-2026-0098 / RUSTSEC-2026-0099 for the transitive rustls-webpki 0.101.7 pulled in by aws-smithy-http-client via rustls 0.21. Swapping the aws-config / aws-sdk-s3 rustls feature to default-https-client would move to hyper 1.x / rustls 0.23 but requires an MSRV bump, so we wait on aws-sdk to backport or until we bump MSRV.

Verified locally with `cargo deny check advisories` → `advisories ok`.

Test plan

• `cargo deny check advisories` passes locally
• CI lint job green

🤖 Generated with Claude Code

---

Note

Medium Risk
Primarily dependency/lockfile churn, including updates in TLS/crypto and async networking crates (rustls, hyper-rustls, tokio), which can affect runtime behavior despite being mostly patch-level bumps.

Overview
Unblocks cargo-deny advisory checks by updating the advisory ignore list: removes the stale ignore for RUSTSEC-2026-0066 and adds ignores for RUSTSEC-2026-0098/RUSTSEC-2026-0099 affecting transitive rustls-webpki 0.101.7 (via the rustls 0.21 AWS dependency chain).

Refreshes Cargo.lock via cargo update, notably bumping the modern TLS stack (hyper-rustls and rustls/rustls-webpki on the 0.23 line) and rolling forward various supporting deps (e.g., tokio, rand, openssl, rayon), plus consolidating/removing an extra windows-registry version entry.

^{Reviewed by Cursor Bugbot for commit a7e0c08. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

Unblocks cargo-deny advisory checks by cleaning up the ignore list: removes the stale RUSTSEC-2026-0066 entry (the triggering crate astral-tokio-tar was upgraded from 0.5.6 → 0.6.0, fixing the advisory — it remains in the dep tree via rattler_package_streaming), adds ignores for RUSTSEC-2026-0098/0099 affecting the legacy rustls-webpki 0.101.7 path kept alive by aws-smithy-http-client's rustls 0.21 dependency, and bumps rustls-webpki to 0.103.12 on the modern rustls 0.23 line.

Confidence Score: 5/5

Safe to merge — deny.toml changes are correct, all remaining concerns are P2 documentation clarifications.

The code changes are correct: removing the stale advisory ignore and adding well-reasoned ignores for the two TLS advisories that cannot be resolved without an MSRV bump. The only finding is a P2 clarification that the astral-tokio-tar crate is still in the dep tree (upgraded to a patched version), not removed entirely as the PR description implies. No logic bugs, security issues, or blocking concerns.

No files require special attention. The deny.toml changes are correct; the P2 note is informational only.

Important Files Changed

Filename	Overview
deny.toml	Drops stale RUSTSEC-2026-0066 ignore (astral-tokio-tar 0.5.6 was upgraded to 0.6.0, fixing the advisory) and adds ignores for RUSTSEC-2026-0098/0099 affecting rustls-webpki 0.101.7 pulled in transitively via aws-smithy-http-client/rustls 0.21.
Cargo.lock	Lockfile refresh bumping rustls-webpki 0.103.x to 0.103.12 and other minor patch bumps; both rustls 0.21.12 (using webpki 0.101.7) and rustls 0.23.38 (using webpki 0.103.12) remain present as dual dependencies of aws-smithy-http-client.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[mise / aws-sdk-s3] --> B[aws-smithy-http-client 1.1.9]
    B --> C[rustls 0.21.12\nlegacy path]
    B --> D[rustls 0.23.38\nmodern path]
    C --> E[rustls-webpki 0.101.7\n⚠️ RUSTSEC-2026-0098\n⚠️ RUSTSEC-2026-0099\nignored — awaiting aws-sdk MSRV bump]
    D --> F[rustls-webpki 0.103.12\n✅ patched in this PR]
    G[rattler_package_streaming] --> H[astral-tokio-tar 0.6.0\n✅ upgraded from 0.5.6\nRUSTSEC-2026-0066 ignore removed]

Loading

_{Reviews (3): Last reviewed commit: "chore(deps): bump sigstore-verification ..." | Re-trigger Greptile}

[gemini-code-assist]

Code Review

This pull request involves several dependency downgrades in Cargo.lock, including windows-sys, itertools, and base64, alongside an upgrade for rustls-webpki. It also updates deny.toml to ignore security advisories RUSTSEC-2026-0098 and RUSTSEC-2026-0099. Feedback suggests that instead of ignoring these vulnerabilities, the project should update aws-sdk-s3 to a version that utilizes rustls 0.23, as the current MSRV (1.88) is sufficient to support the fix.

[gemini-code-assist]

The provided reason for ignoring these advisories states an MSRV bump is required to switch to default-https-client. The project's MSRV is 1.88, which appears to be sufficient for recent aws-sdk versions that use rustls 0.23 via the default-https-client feature (which requires Rust 1.75).

To avoid ignoring these security advisories, consider updating aws-sdk-s3 and switching to the default-https-client feature in Cargo.toml. This would resolve the underlying issue rather than suppressing the warnings.

[github-actions]

Hyperfine Performance

mise x -- echo

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.4.12 x -- echo	24.0 ± 0.4	23.2	26.9	1.00
mise x -- echo	24.6 ± 0.4	23.9	26.9	1.02 ± 0.02

mise env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.4.12 env	23.8 ± 0.8	22.8	34.1	1.00
mise env	24.1 ± 0.7	23.2	32.9	1.02 ± 0.05

mise hook-env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.4.12 hook-env	24.2 ± 0.3	23.4	25.5	1.00
mise hook-env	24.7 ± 0.6	23.8	32.3	1.02 ± 0.03

mise ls

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.4.12 ls	21.7 ± 0.8	20.6	35.9	1.00
mise ls	21.8 ± 0.4	21.0	23.7	1.01 ± 0.04

xtasks/test/perf

Command	mise-2026.4.12	mise	Variance
install (cached)	155ms	154ms	+0%
ls (cached)	81ms	79ms	+2%
bin-paths (cached)	85ms	85ms	+0%
task-ls (cached)	777ms	774ms	+0%