From befc5f20dccc8b9048f59bed57d15ecb4acdcd82 Mon Sep 17 00:00:00 2001
From: Fraser Hutchison <190532+Fraser999@users.noreply.github.com>
Date: Mon, 4 May 2026 11:01:04 +0100
Subject: [PATCH] ignore new audit warnings

---
 .cargo/audit.toml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.cargo/audit.toml b/.cargo/audit.toml
index 080c6e3..a09447e 100644
--- a/.cargo/audit.toml
+++ b/.cargo/audit.toml
@@ -27,4 +27,16 @@ ignore = [
     # logger calls `rand::rng()` during reseeding. Our 0.8.5 (transitive via alloy-consensus)
     # has neither feature enabled; our 0.9.4 is already patched.
     "RUSTSEC-2026-0097",
+
+    # `hickory-proto` 0.25.2 NSEC3 closest-encloser proof validation unbounded loop on cross-zone
+    # responses. No fixed upgrade is available. Transitive dep via reth's `reth-dns-discovery` ->
+    # `hickory-resolver`. node-components does not perform DNSSEC validation, so this code path is
+    # unused.
+    "RUSTSEC-2026-0118",
+
+    # `hickory-proto` 0.25.2 O(n²) name-compression CPU exhaustion during message encoding. Fix is
+    # in 0.26.1, but `hickory-resolver` 0.25.2 (pinned by reth's `reth-dns-discovery`) requires
+    # `hickory-proto ^0.25`, so we can't upgrade until reth bumps. node-components does not encode
+    # DNS messages.
+    "RUSTSEC-2026-0119",
 ]