Audit reference: R01
What can go wrong
After upgrading to libp2p 0.56.0, cargo audit still reports two advisories in hickory-proto 0.25.2: RUSTSEC-2026-0118 and RUSTSEC-2026-0119. The old ring 0.16 and rustls-webpki 0.101 advisory chain is gone.
When it happens
Hickory is pulled in by libp2p-dns 0.44. The advisories concern DNSSEC NSEC3 closest-encloser processing and quadratic DNS message encoding. The current build does not enable Hickory's DNSSEC feature, which limits exposure to the first path, but both records correctly remain visible in the locked graph.
What changed
The branch upgrades libp2p from 0.54.1 to 0.56.0, adapts its API changes, and validates QUIC, gossip, DHT, reconnect behavior, and mixed 0.54/0.56 peers. It does not force Hickory 0.26 into a dependency that requires the incompatible 0.25 line.
Why the change works
The upgrade safely removes three old transport advisories, but it cannot honestly close this issue: RUSTSEC-2026-0119 is fixed only in Hickory 0.26.1+, and released libp2p 0.56 still pins the 0.25 family. Closure should wait for a stable compatible libp2p release or an upstream backport, followed by the same interoperability and soak tests.
Checks
e3-net tests and strict Clippy pass, a four-node mixed-version QUIC/gossip/DHT drill passes, the full workspace suite passes, and the remaining audit result is exactly the two Hickory advisories above.
Audit reference: R01
What can go wrong
After upgrading to libp2p 0.56.0,
cargo auditstill reports two advisories inhickory-proto0.25.2: RUSTSEC-2026-0118 and RUSTSEC-2026-0119. The oldring0.16 andrustls-webpki0.101 advisory chain is gone.When it happens
Hickory is pulled in by
libp2p-dns0.44. The advisories concern DNSSEC NSEC3 closest-encloser processing and quadratic DNS message encoding. The current build does not enable Hickory's DNSSEC feature, which limits exposure to the first path, but both records correctly remain visible in the locked graph.What changed
The branch upgrades libp2p from 0.54.1 to 0.56.0, adapts its API changes, and validates QUIC, gossip, DHT, reconnect behavior, and mixed 0.54/0.56 peers. It does not force Hickory 0.26 into a dependency that requires the incompatible 0.25 line.
Why the change works
The upgrade safely removes three old transport advisories, but it cannot honestly close this issue: RUSTSEC-2026-0119 is fixed only in Hickory 0.26.1+, and released libp2p 0.56 still pins the 0.25 family. Closure should wait for a stable compatible libp2p release or an upstream backport, followed by the same interoperability and soak tests.
Checks
e3-nettests and strict Clippy pass, a four-node mixed-version QUIC/gossip/DHT drill passes, the full workspace suite passes, and the remaining audit result is exactly the two Hickory advisories above.