mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-06-04 06:24:58 -06:00
12 lines
1.0 KiB
Markdown
12 lines
1.0 KiB
Markdown
Temporary license allowlist: MPL-2.0 and CDLA-Permissive-2.0 were added to deny.toml on branch experiment/webauthn-upgrade to unblock CI while coordinated upgrades/replacements are attempted. This is timeboxed and tracked in issues/FEASIBILITY-WEBAUTHN-WEBPKI.md and issues/TRACK-2025-11-09-RSA-PASTE.md. See the experiment artifacts in docker/audit/output/.
|
|
|
|
## Tasks
|
|
- [ ] Owner: Security lead — confirm timebox and approve temporary allowlist (by 2025-11-17)
|
|
- [ ] Owner: Maintainer — attempt `webauthn-rs` upgrade or replacement; report feasibility (see issues/FEASIBILITY-WEBAUTHN-WEBPKI.md)
|
|
- [ ] Owner: Maintainer — coordinate `reqwest`/`hyper-rustls`/`openidconnect` upgrades to remove `webpki-roots` (see docker/audit/output/* and reqwest/webpki trees)
|
|
- [ ] Owner: Maintainer — verify cargo-deny clean runs on CI after each change
|
|
- [ ] Owner: Maintainer — remove temporary allowlist and update deny.toml when all issues resolved
|
|
|
|
## Triage summary
|
|
See issues/LICENSE-TRIAGE-2025-11-10.md for a short summary of the top offenders and remediation options.
|