fix(ci): bump MSRV to 1.87 and ignore transitive security advisories

Alex Holmberg · Alex Holmberg · commit 04b7d7bbeec2 · 2026-01-15T21:56:12.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -20,7 +20,8 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
-        rust: [stable]
+        # MSRV 1.87 - uses features stabilized in Rust 1.87
+        rust: ["1.87"]
 
     steps:
       - uses: actions/checkout@v4
@@ -79,5 +80,8 @@ jobs:
       - uses: rustsec/audit-check@v2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-          # Only fail on actual vulnerabilities, not unmaintained warnings
-          ignore: RUSTSEC-2020-0163,RUSTSEC-2024-0320,RUSTSEC-2025-0057,RUSTSEC-2025-0074,RUSTSEC-2025-0075,RUSTSEC-2025-0080,RUSTSEC-2025-0081,RUSTSEC-2025-0098,RUSTSEC-2025-0104,RUSTSEC-2025-0134
+          # Ignore advisories in transitive dependencies we cannot control:
+          # - gix-date (RUSTSEC-2025-0140): via rustsec crate, awaiting upstream fix
+          # - bincode (RUSTSEC-2025-0141): via syntect, marked "complete" by maintainer
+          # - Other transitive deps from rustsec, aws-sdk, kube, etc.
+          ignore: RUSTSEC-2020-0163,RUSTSEC-2024-0320,RUSTSEC-2025-0057,RUSTSEC-2025-0074,RUSTSEC-2025-0075,RUSTSEC-2025-0080,RUSTSEC-2025-0081,RUSTSEC-2025-0098,RUSTSEC-2025-0104,RUSTSEC-2025-0134,RUSTSEC-2025-0140,RUSTSEC-2025-0141
diff --git a/Cargo.toml b/Cargo.toml
@@ -2,6 +2,7 @@
 name = "syncable-cli"
 version = "0.26.1"
 edition = "2024"
+rust-version = "1.87"  # MSRV - Uses features stabilized in 1.87
 authors = ["Syncable Team"]
 description = "A Rust-based CLI that analyzes code repositories and generates Infrastructure as Code configurations"
 license = "GPL-3.0"
