chore(security): filter RUSTSEC-2026-0173 (proc-macro-error2, no upstream fix)

[WomB0ComB0]

osv-scanner flags RUSTSEC-2026-0173 for proc-macro-error2 2.0.1 (the only un-filtered advisory; the other 10 transitive ones are already filtered with justifications).

Not a dependency bump — osv reports FIXED VERSION: -- (no patched release exists), and 0 vulnerabilities can be fixed. proc-macro-error2 is a build-time proc-macro helper pulled in transitively via anchor-lang's derive macros; it runs only at compile time and is not part of the on-chain BPF runtime.

This adds an [[IgnoredVulns]] entry with that justification, matching the existing pattern for bincode/curve25519-dalek/derivative/etc. — until anchor-lang migrates off proc-macro-error2 upstream.

Summary by CodeRabbit

• Chores
  • Updated vulnerability scanning configuration: added an ignored entry for RUSTSEC-2026-0173 (proc-macro-error2 2.0.1). This applies to a build-time transitive proc-macro dependency only and does not affect the on-chain BPF runtime; no upstream fix is currently available.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 76469160-ff10-4ec8-a702-fb807c196384

📥 Commits

Reviewing files that changed from the base of the PR and between c06eeed and f200ced.

📒 Files selected for processing (1)

• osv-scanner.toml

✅ Files skipped from review due to trivial changes (1)

• osv-scanner.toml

---

📝 Walkthrough

Walkthrough

Configuration entry added to osv-scanner.toml to ignore RUSTSEC-2026-0173, a build-time proc-macro advisory for proc-macro-error2 used transitively via anchor-lang and not present in the on-chain BPF runtime.

Changes

OSV Scanner Configuration

Layer / File(s)	Summary
Vulnerability ignore entry for proc-macro-error2 osv-scanner.toml	Added [[IgnoredVulns]] block for RUSTSEC-2026-0173 noting proc-macro-error2 2.0.1 is a compile-time transitive proc-macro via anchor-lang derive macros, unrelated to the on-chain BPF runtime, with no upstream fix available.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• resq-software/programs#22: Configuration-only changes to osv-scanner.toml adding [[IgnoredVulns]] entries for Rust advisories arising from Anchor macro dependencies.

Poem

I nibble lines of config, soft and light, 🐰
A tiny ignore to keep builds bright,
Compile-time flowers bloom, runtime stays clear,
No BPF worry, just calm in my ear,
Hooray for tidy scans and peaceful night.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: filtering a specific security vulnerability (RUSTSEC-2026-0173) in proc-macro-error2 due to lack of upstream fix.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/osv-filter-proc-macro-error2

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the osv-scanner.toml configuration to ignore the vulnerability RUSTSEC-2026-0173, which is a build-time dependency for proc-macro-error2 and does not affect the on-chain runtime. I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.