From 94eae350655b09bfffd470c1af03053761896263 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Fri, 12 Jun 2026 10:31:58 +0200
Subject: [PATCH 1/2] chore(template): Ignore RUSTSEC-2026-0173 for now

---
 template/deny.toml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/template/deny.toml b/template/deny.toml
index eb48345d..3e40888e 100644
--- a/template/deny.toml
+++ b/template/deny.toml
@@ -45,6 +45,24 @@ ignore = [
     # This version is pulled in transitively via num-bigint-dig -> rsa -> stackable-certs and cannot be
     # updated until the upstream rsa crate bumps its rand dependency.
     "RUSTSEC-2026-0097",
+
+    # https://rustsec.org/advisories/RUSTSEC-2026-0173
+    # The author of `proc-macro-error2` has [confirmed](https://github.com/GnomedDev/proc-macro-error-2/issues/17#issuecomment-4643215473)
+    # that the crate is no longer maintained and recommends that users migrate away from it.
+    #
+    # There currently is no way for us to negate this advisory, because that crate is not used
+    # directly by us. We need to wait for new versions of oci-spec and getset.
+    #
+    # proc-macro-error2 v2.0.1
+    #  └── getset v0.1.6
+    #      └── oci-spec v0.9.0
+    #          └── boil v0.2.1
+    #
+    # Alternate crates are:
+    #
+    # - https://crates.io/crates/manyhow
+    # - https://github.com/SergioBenitez/proc-macro2-diagnostics
+    "RUSTSEC-2026-0173",
 ]
 
 [bans]

From 88883d759710a483313434e55adb2b84460a54f9 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Fri, 12 Jun 2026 10:37:01 +0200
Subject: [PATCH 2/2] chore(template): Add link to upstream issue

---
 template/deny.toml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/template/deny.toml b/template/deny.toml
index 3e40888e..f446cc19 100644
--- a/template/deny.toml
+++ b/template/deny.toml
@@ -51,7 +51,8 @@ ignore = [
     # that the crate is no longer maintained and recommends that users migrate away from it.
     #
     # There currently is no way for us to negate this advisory, because that crate is not used
-    # directly by us. We need to wait for new versions of oci-spec and getset.
+    # directly by us. We need to wait for new versions of oci-spec and getset. See the following
+    # issue which tracks moving to a newer getset version: https://github.com/youki-dev/oci-spec-rs/issues/340
     #
     # proc-macro-error2 v2.0.1
     #  └── getset v0.1.6