feat(telemetry)!: make telemetry worker wasm-compatible for the TraceExporter

[Aaalibaba42]

What?

Port the telemetry stack (libdd-telemetry, libdd-data-pipeline) to compile and run on wasm32-unknown-unknown. TelemetryWorker, TelemetryWorkerHandle, and TelemetryClient become generic over a capability bundle C: HttpClientCapability + SleepCapability; native call sites pin to NativeCapabilities.

Why?

Telemetry was previously hard-gated behind #[cfg(not(target_arch = "wasm32"))] and was a no-op on that target for the TraceExporter.

How?

• Every tokio::time call (sleep, timeout) is replaced by a tokio::select! race against <C as SleepCapability>::new().sleep(…), which resolves to setTimeout on wasm.
• std::time replaced by web-time (Performance.now() / Date.now() on wasm, re-exports std::time on native).
• Shutdown signaling adds a tokio::sync::Notify-based async path alongside the existing native Condvar sync path.
• The old MockClient/file-endpoint logic in http_client.rs is deleted and ported to NativeCapabilities in libdd-capabilities-impl.

Additional Notes

• TelemetryClientBuilder::build now returns Result (was panicking on missing fields) — Rust API break.
• TelemetryClient::start is now sync via try_send_msg — Rust API break.
• FFI and sidecar crates are unaffected at the ABI level; they use a local type alias pinned to NativeCapabilities.

[datadog-official]

🎉 All green!

🧪 All tests passed
❄️ No new flaky tests detected

🎯 Code Coverage (details)
• Patch Coverage: 68.77%
• Overall Coverage: 73.88% (-0.16%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 6743d39 | Docs | Datadog PR Page | Give us feedback!}

[github-actions]

📚 Documentation Check Results

⚠️ 6396 documentation warning(s) found

📦 datadog-sidecar - 2785 warning(s)

📦 libdd-capabilities-impl - 184 warning(s)

📦 libdd-crashtracker - 1074 warning(s)

📦 libdd-data-pipeline - 1195 warning(s)

📦 libdd-telemetry-ffi - 659 warning(s)

📦 libdd-telemetry - 499 warning(s)

---

Updated: 2026-06-29 12:16:02 UTC | Commit: 1100ccb | missing-docs job results

[github-actions]

Clippy Allow Annotation Report

Comparing clippy allow annotations between branches:

• Base Branch: origin/main
• PR Branch: origin/jwiriath/telemetry-wasm

Summary by Rule

Rule	Base Branch	PR Branch	Change
expect_used	3	0	✅ -3 (-100.0%)
unwrap_used	25	20	✅ -5 (-20.0%)
Total	28	20	✅ -8 (-28.6%)

Annotation Counts by File

File	Base Branch	PR Branch	Change
datadog-sidecar/src/self_telemetry.rs	3	3	No change (0%)
datadog-sidecar/src/service/telemetry.rs	3	3	No change (0%)
libdd-data-pipeline/src/telemetry/mod.rs	1	0	✅ -1 (-100.0%)
libdd-data-pipeline/src/trace_exporter/mod.rs	2	2	No change (0%)
libdd-telemetry/src/metrics.rs	2	2	No change (0%)
libdd-telemetry/src/worker/http_client.rs	3	0	✅ -3 (-100.0%)
libdd-telemetry/src/worker/mod.rs	14	10	✅ -4 (-28.6%)

Annotation Stats by Crate

Crate	Base Branch	PR Branch	Change
clippy-annotation-reporter	5	5	No change (0%)
datadog-ffe-ffi	1	1	No change (0%)
datadog-ipc	22	22	No change (0%)
datadog-live-debugger	4	4	No change (0%)
datadog-live-debugger-ffi	10	10	No change (0%)
datadog-profiling-replayer	4	4	No change (0%)
datadog-sidecar	45	45	No change (0%)
libdd-common	13	13	No change (0%)
libdd-common-ffi	12	12	No change (0%)
libdd-data-pipeline	6	5	✅ -1 (-16.7%)
libdd-ddsketch	2	2	No change (0%)
libdd-dogstatsd-client	1	1	No change (0%)
libdd-profiling	13	13	No change (0%)
libdd-remote-config	3	3	No change (0%)
libdd-telemetry	20	13	✅ -7 (-35.0%)
libdd-tinybytes	4	4	No change (0%)
libdd-trace-normalization	2	2	No change (0%)
libdd-trace-obfuscation	3	3	No change (0%)
libdd-trace-stats	1	1	No change (0%)
libdd-trace-utils	11	11	No change (0%)
Total	182	174	✅ -8 (-4.4%)

About This Report

This report tracks Clippy allow annotations for specific rules, showing how they've changed in this PR. Decreasing the number of these annotations generally improves code quality.

[github-actions]

🔒 Cargo Deny Results

⚠️ 28 issue(s) found, showing only errors (advisories, bans, sources)

📦 datadog-sidecar - 6 error(s)

Show output

error[unmaintained]: Bincode is unmaintained
   ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:37:1
   │
37 │ bincode 1.3.3 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unmaintained advisory detected
   │
   ├ ID: RUSTSEC-2025-0141
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2025-0141
   ├ Due to a doxxing and harassment incident, the bincode team has taken the decision to cease development permanently.
     
     The team considers version 1.3.3 a complete version of bincode that is not in need of any updates.
     
     ## Alternatives to consider
     
     * [wincode](https://crates.io/crates/wincode)
     * [postcard](https://crates.io/crates/postcard)
     * [bitcode](https://crates.io/crates/bitcode)
     * [rkyv](https://crates.io/crates/rkyv)
   ├ Announcement: https://git.sr.ht/~stygianentity/bincode/tree/v3.0/item/README.md
   ├ Solution: No safe upgrade is available!
   ├ bincode v1.3.3
     ├── datadog-ipc v0.1.0
     │   └── datadog-sidecar v0.0.1
     └── datadog-sidecar v0.0.1 (*)

error[unsound]: Rand is unsound with a custom logger using `rand::rng()`
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:302:1
    │
302 │ rand 0.8.5 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unsound advisory detected
    │
    ├ ID: RUSTSEC-2026-0097
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0097
    ├ It has been reported (by @lopopolo) that the `rand` library is [unsound](https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#soundness-of-code--of-a-library) (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:
      
      - The `log` and `thread_rng` features are enabled
      - A [custom logger](https://docs.rs/log/latest/log/#implementing-a-logger) is defined
      - The custom logger accesses `rand::rng()` (previously `rand::thread_rng()`) and calls any `TryRng` (previously `RngCore`) methods on `ThreadRng`
      - The `ThreadRng` (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data)
      - Trace-level logging is enabled or warn-level logging is enabled and the random source (the `getrandom` crate) is unable to provide a new seed
      
      `TryRng` (previously `RngCore`) methods for `ThreadRng` use `unsafe` code to cast `*mut BlockRng<ReseedingCore>` to `&mut BlockRng<ReseedingCore>`. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of [aliased mutable references is Undefined Behaviour](https://doc.rust-lang.org/stable/nomicon/references.html), the behaviour of optimized builds is hard to predict.
    ├ Announcement: https://github.com/rust-random/rand/pull/1763
    ├ Solution: Upgrade to >=0.10.1 OR <0.10.0, >=0.9.3 OR <0.9.0, >=0.8.6 (try `cargo update -p rand`)
    ├ rand v0.8.5
      ├── datadog-sidecar v0.0.1
      ├── libdd-common v5.0.0
      │   ├── datadog-ffe v1.0.0
      │   │   └── datadog-sidecar v0.0.1 (*)
      │   ├── datadog-ipc v0.1.0
      │   │   └── datadog-sidecar v0.0.1 (*)
      │   ├── datadog-live-debugger v0.0.1
      │   │   └── datadog-sidecar v0.0.1 (*)
      │   ├── datadog-sidecar v0.0.1 (*)
      │   ├── libdd-capabilities-impl v2.0.0
      │   │   ├── datadog-sidecar v0.0.1 (*)
      │   │   ├── libdd-crashtracker v1.0.0
      │   │   │   ├── datadog-sidecar v0.0.1 (*)
      │   │   │   └── libdd-crashtracker-ffi v36.0.0
      │   │   │       └── datadog-sidecar v0.0.1 (*)
      │   │   ├── libdd-data-pipeline v6.0.0
      │   │   │   ├── datadog-live-debugger v0.0.1 (*)
      │   │   │   └── datadog-sidecar v0.0.1 (*)
      │   │   ├── libdd-shared-runtime v1.0.0
      │   │   │   ├── libdd-data-pipeline v6.0.0 (*)
      │   │   │   ├── libdd-telemetry v5.0.1
      │   │   │   │   ├── datadog-sidecar v0.0.1 (*)
      │   │   │   │   ├── libdd-crashtracker v1.0.0 (*)
      │   │   │   │   └── libdd-data-pipeline v6.0.0 (*)
      │   │   │   └── libdd-trace-stats v5.0.0
      │   │   │       ├── datadog-ipc v0.1.0 (*)
      │   │   │       ├── datadog-sidecar v0.0.1 (*)
      │   │   │       └── libdd-data-pipeline v6.0.0 (*)
      │   │   ├── (dev) libdd-telemetry v5.0.1 (*)
      │   │   ├── libdd-trace-stats v5.0.0 (*)
      │   │   └── libdd-trace-utils v8.0.0
      │   │       ├── (dev) datadog-sidecar v0.0.1 (*)
      │   │       ├── libdd-data-pipeline v6.0.0 (*)
      │   │       ├── libdd-trace-obfuscation v4.0.0
      │   │       │   └── libdd-trace-stats v5.0.0 (*)
      │   │       ├── libdd-trace-stats v5.0.0 (*)
      │   │       └── (dev) libdd-trace-utils v8.0.0 (*)
      │   ├── libdd-common-ffi v36.0.0
      │   │   ├── datadog-sidecar v0.0.1 (*)
      │   │   └── libdd-crashtracker-ffi v36.0.0 (*)
      │   ├── (build) libdd-crashtracker v1.0.0 (*)
      │   ├── libdd-crashtracker-ffi v36.0.0 (*)
      │   ├── libdd-data-pipeline v6.0.0 (*)
      │   ├── libdd-dogstatsd-client v3.0.0
      │   │   ├── datadog-sidecar v0.0.1 (*)
      │   │   └── libdd-data-pipeline v6.0.0 (*)
      │   ├── libdd-remote-config v1.0.0
      │   │   ├── datadog-ffe v1.0.0 (*)
      │   │   ├── datadog-live-debugger v0.0.1 (*)
      │   │   ├── (dev) datadog-sidecar v0.0.1 (*)
      │   │   └── (dev) libdd-remote-config v1.0.0 (*)
      │   ├── libdd-shared-runtime v1.0.0 (*)
      │   ├── libdd-telemetry v5.0.1 (*)
      │   ├── libdd-trace-obfuscation v4.0.0 (*)
      │   ├── libdd-trace-stats v5.0.0 (*)
      │   └── libdd-trace-utils v8.0.0 (*)
      ├── libdd-crashtracker v1.0.0 (*)
      ├── (dev) libdd-data-pipeline v6.0.0 (*)
      ├── (dev) libdd-ddsketch v1.0.1
      │   ├── datadog-ipc v0.1.0 (*)
      │   ├── libdd-data-pipeline v6.0.0 (*)
      │   ├── libdd-telemetry v5.0.1 (*)
      │   └── libdd-trace-stats v5.0.0 (*)
      ├── (dev) libdd-trace-normalization v2.0.0
      │   ├── libdd-data-pipeline v6.0.0 (*)
      │   └── libdd-trace-utils v8.0.0 (*)
      ├── (dev) libdd-trace-stats v5.0.0 (*)
      ├── libdd-trace-utils v8.0.0 (*)
      └── proptest v1.5.0
          └── (dev) libdd-tinybytes v1.1.1
              ├── datadog-ipc v0.1.0 (*)
              ├── datadog-sidecar v0.0.1 (*)
              ├── libdd-data-pipeline v6.0.0 (*)
              ├── (dev) libdd-tinybytes v1.1.1 (*)
              └── libdd-trace-utils v8.0.0 (*)

error[vulnerability]: Name constraints for URI names were incorrectly accepted
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:332:1
    │
332 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2026-0098
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0098
    ├ Name constraints for URI names were ignored and therefore accepted.
      
      Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.  URI name constraints are now rejected unconditionally.
      
      Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
      
      This vulnerability is identified as [GHSA-965h-392x-2mh5](https://github.com/rustls/webpki/security/advisories/GHSA-965h-392x-2mh5). Thank you to @1seal for the report.
    ├ Solution: Upgrade to >=0.103.12, <0.104.0-alpha.1 OR >=0.104.0-alpha.6 (try `cargo update -p rustls-webpki`)
    ├ rustls-webpki v0.103.10
      ├── rustls v0.23.37
      │   ├── hyper-rustls v0.27.7
      │   │   └── libdd-common v5.0.0
      │   │       ├── datadog-ffe v1.0.0
      │   │       │   └── datadog-sidecar v0.0.1
      │   │       ├── datadog-ipc v0.1.0
      │   │       │   └── datadog-sidecar v0.0.1 (*)
      │   │       ├── datadog-live-debugger v0.0.1
      │   │       │   └── datadog-sidecar v0.0.1 (*)
      │   │       ├── datadog-sidecar v0.0.1 (*)
      │   │       ├── libdd-capabilities-impl v2.0.0
      │   │       │   ├── datadog-sidecar v0.0.1 (*)
      │   │       │   ├── libdd-crashtracker v1.0.0
      │   │       │   │   ├── datadog-sidecar v0.0.1 (*)
      │   │       │   │   └── libdd-crashtracker-ffi v36.0.0
      │   │       │   │       └── datadog-sidecar v0.0.1 (*)
      │   │       │   ├── libdd-data-pipeline v6.0.0
      │   │       │   │   ├── datadog-live-debugger v0.0.1 (*)
      │   │       │   │   └── datadog-sidecar v0.0.1 (*)
      │   │       │   ├── libdd-shared-runtime v1.0.0
      │   │       │   │   ├── libdd-data-pipeline v6.0.0 (*)
      │   │       │   │   ├── libdd-telemetry v5.0.1
      │   │       │   │   │   ├── datadog-sidecar v0.0.1 (*)
      │   │       │   │   │   ├── libdd-crashtracker v1.0.0 (*)
      │   │       │   │   │   └── libdd-data-pipeline v6.0.0 (*)
      │   │       │   │   └── libdd-trace-stats v5.0.0
      │   │       │   │       ├── datadog-ipc v0.1.0 (*)
      │   │       │   │       ├── datadog-sidecar v0.0.1 (*)
      │   │       │   │       └── libdd-data-pipeline v6.0.0 (*)
      │   │       │   ├── (dev) libdd-telemetry v5.0.1 (*)
      │   │       │   ├── libdd-trace-stats v5.0.0 (*)
      │   │       │   └── libdd-trace-utils v8.0.0
      │   │       │       ├── (dev) datadog-sidecar v0.0.1 (*)
      │   │       │       ├── libdd-data-pipeline v6.0.0 (*)
      │   │       │       ├── libdd-trace-obfuscation v4.0.0
      │   │       │       │   └── libdd-trace-stats v5.0.0 (*)
      │   │       │       ├── libdd-trace-stats v5.0.0 (*)
      │   │       │       └── (dev) libdd-trace-utils v8.0.0 (*)
      │   │       ├── libdd-common-ffi v36.0.0
      │   │       │   ├── datadog-sidecar v0.0.1 (*)
      │   │       │   └── libdd-crashtracker-ffi v36.0.0 (*)
      │   │       ├── (build) libdd-crashtracker v1.0.0 (*)
      │   │       ├── libdd-crashtracker-ffi v36.0.0 (*)
      │   │       ├── libdd-data-pipeline v6.0.0 (*)
      │   │       ├── libdd-dogstatsd-client v3.0.0
      │   │       │   ├── datadog-sidecar v0.0.1 (*)
      │   │       │   └── libdd-data-pipeline v6.0.0 (*)
      │   │       ├── libdd-remote-config v1.0.0
      │   │       │   ├── datadog-ffe v1.0.0 (*)
      │   │       │   ├── datadog-live-debugger v0.0.1 (*)
      │   │       │   ├── (dev) datadog-sidecar v0.0.1 (*)
      │   │       │   └── (dev) libdd-remote-config v1.0.0 (*)
      │   │       ├── libdd-shared-runtime v1.0.0 (*)
      │   │       ├── libdd-telemetry v5.0.1 (*)
      │   │       ├── libdd-trace-obfuscation v4.0.0 (*)
      │   │       ├── libdd-trace-stats v5.0.0 (*)
      │   │       └── libdd-trace-utils v8.0.0 (*)
      │   ├── libdd-common v5.0.0 (*)
      │   ├── rustls-platform-verifier v0.6.2
      │   │   └── libdd-common v5.0.0 (*)
      │   └── tokio-rustls v0.26.0
      │       ├── hyper-rustls v0.27.7 (*)
      │       └── libdd-common v5.0.0 (*)
      └── rustls-platform-verifier v0.6.2 (*)

error[vulnerability]: Name constraints were accepted for certificates asserting a wildcard name
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:332:1
    │
332 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2026-0099
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0099
    ├ Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name.
      
      This was incorrect because, given a name constraint of `accept.example.com`, `*.example.com` could feasibly allow a name of `reject.example.com` which is outside the constraint.
      This is very similar to [CVE-2025-61727](https://go.dev/issue/76442).
      
      Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
      
      This vulnerability is identified as [GHSA-xgp8-3hg3-c2mh](https://github.com/rustls/webpki/security/advisories/GHSA-xgp8-3hg3-c2mh). Thank you to @1seal for the report.
    ├ Solution: Upgrade to >=0.103.12, <0.104.0-alpha.1 OR >=0.104.0-alpha.6 (try `cargo update -p rustls-webpki`)
    ├ rustls-webpki v0.103.10
      ├── rustls v0.23.37
      │   ├── hyper-rustls v0.27.7
      │   │   └── libdd-common v5.0.0
      │   │       ├── datadog-ffe v1.0.0
      │   │       │   └── datadog-sidecar v0.0.1
      │   │       ├── datadog-ipc v0.1.0
      │   │       │   └── datadog-sidecar v0.0.1 (*)
      │   │       ├── datadog-live-debugger v0.0.1
      │   │       │   └── datadog-sidecar v0.0.1 (*)
      │   │       ├── datadog-sidecar v0.0.1 (*)
      │   │       ├── libdd-capabilities-impl v2.0.0
      │   │       │   ├── datadog-sidecar v0.0.1 (*)
      │   │       │   ├── libdd-crashtracker v1.0.0
      │   │       │   │   ├── datadog-sidecar v0.0.1 (*)
      │   │       │   │   └── libdd-crashtracker-ffi v36.0.0
      │   │       │   │       └── datadog-sidecar v0.0.1 (*)
      │   │       │   ├── libdd-data-pipeline v6.0.0
      │   │       │   │   ├── datadog-live-debugger v0.0.1 (*)
      │   │       │   │   └── datadog-sidecar v0.0.1 (*)
      │   │       │   ├── libdd-shared-runtime v1.0.0
      │   │       │   │   ├── libdd-data-pipeline v6.0.0 (*)
      │   │       │   │   ├── libdd-telemetry v5.0.1
      │   │       │   │   │   ├── datadog-sidecar v0.0.1 (*)
      │   │       │   │   │   ├── libdd-crashtracker v1.0.0 (*)
      │   │       │   │   │   └── libdd-data-pipeline v6.0.0 (*)
      │   │       │   │   └── libdd-trace-stats v5.0.0
      │   │       │   │       ├── datadog-ipc v0.1.0 (*)
      │   │       │   │       ├── datadog-sidecar v0.0.1 (*)
      │   │       │   │       └── libdd-data-pipeline v6.0.0 (*)
      │   │       │   ├── (dev) libdd-telemetry v5.0.1 (*)
      │   │       │   ├── libdd-trace-stats v5.0.0 (*)
      │   │       │   └── libdd-trace-utils v8.0.0
      │   │       │       ├── (dev) datadog-sidecar v0.0.1 (*)
      │   │       │       ├── libdd-data-pipeline v6.0.0 (*)
      │   │       │       ├── libdd-trace-obfuscation v4.0.0
      │   │       │       │   └── libdd-trace-stats v5.0.0 (*)
      │   │       │       ├── libdd-trace-stats v5.0.0 (*)
      │   │       │       └── (dev) libdd-trace-utils v8.0.0 (*)
      │   │       ├── libdd-common-ffi v36.0.0
      │   │       │   ├── datadog-sidecar v0.0.1 (*)
      │   │       │   └── libdd-crashtracker-ffi v36.0.0 (*)
      │   │       ├── (build) libdd-crashtracker v1.0.0 (*)
      │   │       ├── libdd-crashtracker-ffi v36.0.0 (*)
      │   │       ├── libdd-data-pipeline v6.0.0 (*)
      │   │       ├── libdd-dogstatsd-client v3.0.0
      │   │       │   ├── datadog-sidecar v0.0.1 (*)
      │   │       │   └── libdd-data-pipeline v6.0.0 (*)
      │   │       ├── libdd-remote-config v1.0.0
      │   │       │   ├── datadog-ffe v1.0.0 (*)
      │   │       │   ├── datadog-live-debugger v0.0.1 (*)
      │   │       │   ├── (dev) datadog-sidecar v0.0.1 (*)
      │   │       │   └── (dev) libdd-remote-config v1.0.0 (*)
      │   │       ├── libdd-shared-runtime v1.0.0 (*)
      │   │       ├── libdd-telemetry v5.0.1 (*)
      │   │       ├── libdd-trace-obfuscation v4.0.0 (*)
      │   │       ├── libdd-trace-stats v5.0.0 (*)
      │   │       └── libdd-trace-utils v8.0.0 (*)
      │   ├── libdd-common v5.0.0 (*)
      │   ├── rustls-platform-verifier v0.6.2
      │   │   └── libdd-common v5.0.0 (*)
      │   └── tokio-rustls v0.26.0
      │       ├── hyper-rustls v0.27.7 (*)
      │       └── libdd-common v5.0.0 (*)
      └── rustls-platform-verifier v0.6.2 (*)

error[vulnerability]: Reachable panic in certificate revocation list parsing
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:332:1
    │
332 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2026-0104
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0104
    ├ A panic was reachable when parsing certificate revocation lists via [`BorrowedCertRevocationList::from_der`]
      or [`OwnedCertRevocationList::from_der`].  This was the result of mishandling a syntactically valid empty
      `BIT STRING` appearing in the `onlySomeReasons` element of a `IssuingDistributionPoint` CRL extension.
      
      This panic is reachable prior to a CRL's signature being verified.
      
      Applications that do not use CRLs are not affected.
      
      Thank you to @tynus3 for the report.
    ├ Solution: Upgrade to >=0.103.13, <0.104.0-alpha.1 OR >=0.104.0-alpha.7 (try `cargo update -p rustls-webpki`)
    ├ rustls-webpki v0.103.10
      ├── rustls v0.23.37
      │   ├── hyper-rustls v0.27.7
      │   │   └── libdd-common v5.0.0
      │   │       ├── datadog-ffe v1.0.0
      │   │       │   └── datadog-sidecar v0.0.1
      │   │       ├── datadog-ipc v0.1.0
      │   │       │   └── datadog-sidecar v0.0.1 (*)
      │   │       ├── datadog-live-debugger v0.0.1
      │   │       │   └── datadog-sidecar v0.0.1 (*)
      │   │       ├── datadog-sidecar v0.0.1 (*)
      │   │       ├── libdd-capabilities-impl v2.0.0
      │   │       │   ├── datadog-sidecar v0.0.1 (*)
      │   │       │   ├── libdd-crashtracker v1.0.0
      │   │       │   │   ├── datadog-sidecar v0.0.1 (*)
      │   │       │   │   └── libdd-crashtracker-ffi v36.0.0
      │   │       │   │       └── datadog-sidecar v0.0.1 (*)
      │   │       │   ├── libdd-data-pipeline v6.0.0
      │   │       │   │   ├── datadog-live-debugger v0.0.1 (*)
      │   │       │   │   └── datadog-sidecar v0.0.1 (*)
      │   │       │   ├── libdd-shared-runtime v1.0.0
      │   │       │   │   ├── libdd-data-pipeline v6.0.0 (*)
      │   │       │   │   ├── libdd-telemetry v5.0.1
      │   │       │   │   │   ├── datadog-sidecar v0.0.1 (*)
      │   │       │   │   │   ├── libdd-crashtracker v1.0.0 (*)
      │   │       │   │   │   └── libdd-data-pipeline v6.0.0 (*)
      │   │       │   │   └── libdd-trace-stats v5.0.0
      │   │       │   │       ├── datadog-ipc v0.1.0 (*)
      │   │       │   │       ├── datadog-sidecar v0.0.1 (*)
      │   │       │   │       └── libdd-data-pipeline v6.0.0 (*)
      │   │       │   ├── (dev) libdd-telemetry v5.0.1 (*)
      │   │       │   ├── libdd-trace-stats v5.0.0 (*)
      │   │       │   └── libdd-trace-utils v8.0.0
      │   │       │       ├── (dev) datadog-sidecar v0.0.1 (*)
      │   │       │       ├── libdd-data-pipeline v6.0.0 (*)
      │   │       │       ├── libdd-trace-obfuscation v4.0.0
      │   │       │       │   └── libdd-trace-stats v5.0.0 (*)
      │   │       │       ├── libdd-trace-stats v5.0.0 (*)
      │   │       │       └── (dev) libdd-trace-utils v8.0.0 (*)
      │   │       ├── libdd-common-ffi v36.0.0
      │   │       │   ├── datadog-sidecar v0.0.1 (*)
      │   │       │   └── libdd-crashtracker-ffi v36.0.0 (*)
      │   │       ├── (build) libdd-crashtracker v1.0.0 (*)
      │   │       ├── libdd-crashtracker-ffi v36.0.0 (*)
      │   │       ├── libdd-data-pipeline v6.0.0 (*)
      │   │       ├── libdd-dogstatsd-client v3.0.0
      │   │       │   ├── datadog-sidecar v0.0.1 (*)
      │   │       │   └── libdd-data-pipeline v6.0.0 (*)
      │   │       ├── libdd-remote-config v1.0.0
      │   │       │   ├── datadog-ffe v1.0.0 (*)
      │   │       │   ├── datadog-live-debugger v0.0.1 (*)
      │   │       │   ├── (dev) datadog-sidecar v0.0.1 (*)
      │   │       │   └── (dev) libdd-remote-config v1.0.0 (*)
      │   │       ├── libdd-shared-runtime v1.0.0 (*)
      │   │       ├── libdd-telemetry v5.0.1 (*)
      │   │       ├── libdd-trace-obfuscation v4.0.0 (*)
      │   │       ├── libdd-trace-stats v5.0.0 (*)
      │   │       └── libdd-trace-utils v8.0.0 (*)
      │   ├── libdd-common v5.0.0 (*)
      │   ├── rustls-platform-verifier v0.6.2
      │   │   └── libdd-common v5.0.0 (*)
      │   └── tokio-rustls v0.26.0
      │       ├── hyper-rustls v0.27.7 (*)
      │       └── libdd-common v5.0.0 (*)
      └── rustls-platform-verifier v0.6.2 (*)

error[vulnerability]: Denial of Service via Stack Exhaustion
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:394:1
    │
394 │ time 0.3.41 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2026-0009
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0009
    ├ ## Impact
      
      When user-provided input is provided to any type that parses with the RFC 2822 format, a denial of
      service attack via stack exhaustion is possible. The attack relies on formally deprecated and
      rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary,
      non-malicious input will never encounter this scenario.
      
      ## Patches
      
      A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned
      rather than exhausting the stack.
      
      ## Workarounds
      
      Limiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of
      the stack consumed would be at most a factor of the length of the input.
    ├ Announcement: https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05
    ├ Solution: Upgrade to >=0.3.47 (try `cargo update -p time`)
    ├ time v0.3.41
      ├── libdd-remote-config v1.0.0
      │   ├── datadog-ffe v1.0.0
      │   │   └── datadog-sidecar v0.0.1
      │   ├── datadog-live-debugger v0.0.1
      │   │   └── datadog-sidecar v0.0.1 (*)
      │   ├── (dev) datadog-sidecar v0.0.1 (*)
      │   └── (dev) libdd-remote-config v1.0.0 (*)
      └── tracing-appender v0.2.3
          └── libdd-log v1.0.0
              └── (dev) libdd-data-pipeline v6.0.0
                  ├── datadog-live-debugger v0.0.1 (*)
                  └── datadog-sidecar v0.0.1 (*)

advisories FAILED, bans ok, sources ok

📦 libdd-capabilities-impl - 4 error(s)

Show output

error[unsound]: Rand is unsound with a custom logger using `rand::rng()`
   ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:69:1
   │
69 │ rand 0.8.5 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unsound advisory detected
   │
   ├ ID: RUSTSEC-2026-0097
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0097
   ├ It has been reported (by @lopopolo) that the `rand` library is [unsound](https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#soundness-of-code--of-a-library) (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:
     
     - The `log` and `thread_rng` features are enabled
     - A [custom logger](https://docs.rs/log/latest/log/#implementing-a-logger) is defined
     - The custom logger accesses `rand::rng()` (previously `rand::thread_rng()`) and calls any `TryRng` (previously `RngCore`) methods on `ThreadRng`
     - The `ThreadRng` (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data)
     - Trace-level logging is enabled or warn-level logging is enabled and the random source (the `getrandom` crate) is unable to provide a new seed
     
     `TryRng` (previously `RngCore`) methods for `ThreadRng` use `unsafe` code to cast `*mut BlockRng<ReseedingCore>` to `&mut BlockRng<ReseedingCore>`. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of [aliased mutable references is Undefined Behaviour](https://doc.rust-lang.org/stable/nomicon/references.html), the behaviour of optimized builds is hard to predict.
   ├ Announcement: https://github.com/rust-random/rand/pull/1763
   ├ Solution: Upgrade to >=0.10.1 OR <0.10.0, >=0.9.3 OR <0.9.0, >=0.8.6 (try `cargo update -p rand`)
   ├ rand v0.8.5
     └── (dev) libdd-common v5.0.0
         └── libdd-capabilities-impl v2.0.0

error[vulnerability]: Name constraints for URI names were incorrectly accepted
   ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:82:1
   │
82 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
   │
   ├ ID: RUSTSEC-2026-0098
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0098
   ├ Name constraints for URI names were ignored and therefore accepted.
     
     Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.  URI name constraints are now rejected unconditionally.
     
     Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
     
     This vulnerability is identified as [GHSA-965h-392x-2mh5](https://github.com/rustls/webpki/security/advisories/GHSA-965h-392x-2mh5). Thank you to @1seal for the report.
   ├ Solution: Upgrade to >=0.103.12, <0.104.0-alpha.1 OR >=0.104.0-alpha.6 (try `cargo update -p rustls-webpki`)
   ├ rustls-webpki v0.103.10
     ├── rustls v0.23.37
     │   ├── hyper-rustls v0.27.7
     │   │   └── libdd-common v5.0.0
     │   │       └── libdd-capabilities-impl v2.0.0
     │   ├── libdd-common v5.0.0 (*)
     │   ├── rustls-platform-verifier v0.6.2
     │   │   └── libdd-common v5.0.0 (*)
     │   └── tokio-rustls v0.26.0
     │       ├── hyper-rustls v0.27.7 (*)
     │       └── libdd-common v5.0.0 (*)
     └── rustls-platform-verifier v0.6.2 (*)

error[vulnerability]: Name constraints were accepted for certificates asserting a wildcard name
   ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:82:1
   │
82 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
   │
   ├ ID: RUSTSEC-2026-0099
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0099
   ├ Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name.
     
     This was incorrect because, given a name constraint of `accept.example.com`, `*.example.com` could feasibly allow a name of `reject.example.com` which is outside the constraint.
     This is very similar to [CVE-2025-61727](https://go.dev/issue/76442).
     
     Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
     
     This vulnerability is identified as [GHSA-xgp8-3hg3-c2mh](https://github.com/rustls/webpki/security/advisories/GHSA-xgp8-3hg3-c2mh). Thank you to @1seal for the report.
   ├ Solution: Upgrade to >=0.103.12, <0.104.0-alpha.1 OR >=0.104.0-alpha.6 (try `cargo update -p rustls-webpki`)
   ├ rustls-webpki v0.103.10
     ├── rustls v0.23.37
     │   ├── hyper-rustls v0.27.7
     │   │   └── libdd-common v5.0.0
     │   │       └── libdd-capabilities-impl v2.0.0
     │   ├── libdd-common v5.0.0 (*)
     │   ├── rustls-platform-verifier v0.6.2
     │   │   └── libdd-common v5.0.0 (*)
     │   └── tokio-rustls v0.26.0
     │       ├── hyper-rustls v0.27.7 (*)
     │       └── libdd-common v5.0.0 (*)
     └── rustls-platform-verifier v0.6.2 (*)

error[vulnerability]: Reachable panic in certificate revocation list parsing
   ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:82:1
   │
82 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
   │
   ├ ID: RUSTSEC-2026-0104
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0104
   ├ A panic was reachable when parsing certificate revocation lists via [`BorrowedCertRevocationList::from_der`]
     or [`OwnedCertRevocationList::from_der`].  This was the result of mishandling a syntactically valid empty
     `BIT STRING` appearing in the `onlySomeReasons` element of a `IssuingDistributionPoint` CRL extension.
     
     This panic is reachable prior to a CRL's signature being verified.
     
     Applications that do not use CRLs are not affected.
     
     Thank you to @tynus3 for the report.
   ├ Solution: Upgrade to >=0.103.13, <0.104.0-alpha.1 OR >=0.104.0-alpha.7 (try `cargo update -p rustls-webpki`)
   ├ rustls-webpki v0.103.10
     ├── rustls v0.23.37
     │   ├── hyper-rustls v0.27.7
     │   │   └── libdd-common v5.0.0
     │   │       └── libdd-capabilities-impl v2.0.0
     │   ├── libdd-common v5.0.0 (*)
     │   ├── rustls-platform-verifier v0.6.2
     │   │   └── libdd-common v5.0.0 (*)
     │   └── tokio-rustls v0.26.0
     │       ├── hyper-rustls v0.27.7 (*)
     │       └── libdd-common v5.0.0 (*)
     └── rustls-platform-verifier v0.6.2 (*)

advisories FAILED, bans ok, sources ok

📦 libdd-crashtracker - 4 error(s)

Show output

error[unsound]: Rand is unsound with a custom logger using `rand::rng()`
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:204:1
    │
204 │ rand 0.8.5 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unsound advisory detected
    │
    ├ ID: RUSTSEC-2026-0097
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0097
    ├ It has been reported (by @lopopolo) that the `rand` library is [unsound](https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#soundness-of-code--of-a-library) (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:
      
      - The `log` and `thread_rng` features are enabled
      - A [custom logger](https://docs.rs/log/latest/log/#implementing-a-logger) is defined
      - The custom logger accesses `rand::rng()` (previously `rand::thread_rng()`) and calls any `TryRng` (previously `RngCore`) methods on `ThreadRng`
      - The `ThreadRng` (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data)
      - Trace-level logging is enabled or warn-level logging is enabled and the random source (the `getrandom` crate) is unable to provide a new seed
      
      `TryRng` (previously `RngCore`) methods for `ThreadRng` use `unsafe` code to cast `*mut BlockRng<ReseedingCore>` to `&mut BlockRng<ReseedingCore>`. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of [aliased mutable references is Undefined Behaviour](https://doc.rust-lang.org/stable/nomicon/references.html), the behaviour of optimized builds is hard to predict.
    ├ Announcement: https://github.com/rust-random/rand/pull/1763
    ├ Solution: Upgrade to >=0.10.1 OR <0.10.0, >=0.9.3 OR <0.9.0, >=0.8.6 (try `cargo update -p rand`)
    ├ rand v0.8.5
      ├── libdd-common v5.0.0
      │   ├── libdd-capabilities-impl v2.0.0
      │   │   ├── libdd-crashtracker v1.0.0
      │   │   ├── libdd-shared-runtime v1.0.0
      │   │   │   └── libdd-telemetry v5.0.1
      │   │   │       └── libdd-crashtracker v1.0.0 (*)
      │   │   └── (dev) libdd-telemetry v5.0.1 (*)
      │   ├── (build) libdd-crashtracker v1.0.0 (*)
      │   ├── libdd-shared-runtime v1.0.0 (*)
      │   └── libdd-telemetry v5.0.1 (*)
      ├── libdd-crashtracker v1.0.0 (*)
      └── (dev) libdd-ddsketch v1.0.1
          └── libdd-telemetry v5.0.1 (*)

error[vulnerability]: Name constraints for URI names were incorrectly accepted
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:221:1
    │
221 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2026-0098
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0098
    ├ Name constraints for URI names were ignored and therefore accepted.
      
      Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.  URI name constraints are now rejected unconditionally.
      
      Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
      
      This vulnerability is identified as [GHSA-965h-392x-2mh5](https://github.com/rustls/webpki/security/advisories/GHSA-965h-392x-2mh5). Thank you to @1seal for the report.
    ├ Solution: Upgrade to >=0.103.12, <0.104.0-alpha.1 OR >=0.104.0-alpha.6 (try `cargo update -p rustls-webpki`)
    ├ rustls-webpki v0.103.10
      ├── rustls v0.23.37
      │   ├── hyper-rustls v0.27.7
      │   │   └── libdd-common v5.0.0
      │   │       ├── libdd-capabilities-impl v2.0.0
      │   │       │   ├── libdd-crashtracker v1.0.0
      │   │       │   ├── libdd-shared-runtime v1.0.0
      │   │       │   │   └── libdd-telemetry v5.0.1
      │   │       │   │       └── libdd-crashtracker v1.0.0 (*)
      │   │       │   └── (dev) libdd-telemetry v5.0.1 (*)
      │   │       ├── (build) libdd-crashtracker v1.0.0 (*)
      │   │       ├── libdd-shared-runtime v1.0.0 (*)
      │   │       └── libdd-telemetry v5.0.1 (*)
      │   ├── libdd-common v5.0.0 (*)
      │   ├── rustls-platform-verifier v0.6.2
      │   │   └── libdd-common v5.0.0 (*)
      │   └── tokio-rustls v0.26.0
      │       ├── hyper-rustls v0.27.7 (*)
      │       └── libdd-common v5.0.0 (*)
      └── rustls-platform-verifier v0.6.2 (*)

error[vulnerability]: Name constraints were accepted for certificates asserting a wildcard name
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:221:1
    │
221 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2026-0099
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0099
    ├ Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name.
      
      This was incorrect because, given a name constraint of `accept.example.com`, `*.example.com` could feasibly allow a name of `reject.example.com` which is outside the constraint.
      This is very similar to [CVE-2025-61727](https://go.dev/issue/76442).
      
      Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
      
      This vulnerability is identified as [GHSA-xgp8-3hg3-c2mh](https://github.com/rustls/webpki/security/advisories/GHSA-xgp8-3hg3-c2mh). Thank you to @1seal for the report.
    ├ Solution: Upgrade to >=0.103.12, <0.104.0-alpha.1 OR >=0.104.0-alpha.6 (try `cargo update -p rustls-webpki`)
    ├ rustls-webpki v0.103.10
      ├── rustls v0.23.37
      │   ├── hyper-rustls v0.27.7
      │   │   └── libdd-common v5.0.0
      │   │       ├── libdd-capabilities-impl v2.0.0
      │   │       │   ├── libdd-crashtracker v1.0.0
      │   │       │   ├── libdd-shared-runtime v1.0.0
      │   │       │   │   └── libdd-telemetry v5.0.1
      │   │       │   │       └── libdd-crashtracker v1.0.0 (*)
      │   │       │   └── (dev) libdd-telemetry v5.0.1 (*)
      │   │       ├── (build) libdd-crashtracker v1.0.0 (*)
      │   │       ├── libdd-shared-runtime v1.0.0 (*)
      │   │       └── libdd-telemetry v5.0.1 (*)
      │   ├── libdd-common v5.0.0 (*)
      │   ├── rustls-platform-verifier v0.6.2
      │   │   └── libdd-common v5.0.0 (*)
      │   └── tokio-rustls v0.26.0
      │       ├── hyper-rustls v0.27.7 (*)
      │       └── libdd-common v5.0.0 (*)
      └── rustls-platform-verifier v0.6.2 (*)

error[vulnerability]: Reachable panic in certificate revocation list parsing
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:221:1
    │
221 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2026-0104
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0104
    ├ A panic was reachable when parsing certificate revocation lists via [`BorrowedCertRevocationList::from_der`]
      or [`OwnedCertRevocationList::from_der`].  This was the result of mishandling a syntactically valid empty
      `BIT STRING` appearing in the `onlySomeReasons` element of a `IssuingDistributionPoint` CRL extension.
      
      This panic is reachable prior to a CRL's signature being verified.
      
      Applications that do not use CRLs are not affected.
      
      Thank you to @tynus3 for the report.
    ├ Solution: Upgrade to >=0.103.13, <0.104.0-alpha.1 OR >=0.104.0-alpha.7 (try `cargo update -p rustls-webpki`)
    ├ rustls-webpki v0.103.10
      ├── rustls v0.23.37
      │   ├── hyper-rustls v0.27.7
      │   │   └── libdd-common v5.0.0
      │   │       ├── libdd-capabilities-impl v2.0.0
      │   │       │   ├── libdd-crashtracker v1.0.0
      │   │       │   ├── libdd-shared-runtime v1.0.0
      │   │       │   │   └── libdd-telemetry v5.0.1
      │   │       │   │       └── libdd-crashtracker v1.0.0 (*)
      │   │       │   └── (dev) libdd-telemetry v5.0.1 (*)
      │   │       ├── (build) libdd-crashtracker v1.0.0 (*)
      │   │       ├── libdd-shared-runtime v1.0.0 (*)
      │   │       └── libdd-telemetry v5.0.1 (*)
      │   ├── libdd-common v5.0.0 (*)
      │   ├── rustls-platform-verifier v0.6.2
      │   │   └── libdd-common v5.0.0 (*)
      │   └── tokio-rustls v0.26.0
      │       ├── hyper-rustls v0.27.7 (*)
      │       └── libdd-common v5.0.0 (*)
      └── rustls-platform-verifier v0.6.2 (*)

advisories FAILED, bans ok, sources ok

📦 libdd-data-pipeline - 5 error(s)

Show output

error[unsound]: Rand is unsound with a custom logger using `rand::rng()`
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:218:1
    │
218 │ rand 0.8.5 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unsound advisory detected
    │
    ├ ID: RUSTSEC-2026-0097
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0097
    ├ It has been reported (by @lopopolo) that the `rand` library is [unsound](https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#soundness-of-code--of-a-library) (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:
      
      - The `log` and `thread_rng` features are enabled
      - A [custom logger](https://docs.rs/log/latest/log/#implementing-a-logger) is defined
      - The custom logger accesses `rand::rng()` (previously `rand::thread_rng()`) and calls any `TryRng` (previously `RngCore`) methods on `ThreadRng`
      - The `ThreadRng` (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data)
      - Trace-level logging is enabled or warn-level logging is enabled and the random source (the `getrandom` crate) is unable to provide a new seed
      
      `TryRng` (previously `RngCore`) methods for `ThreadRng` use `unsafe` code to cast `*mut BlockRng<ReseedingCore>` to `&mut BlockRng<ReseedingCore>`. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of [aliased mutable references is Undefined Behaviour](https://doc.rust-lang.org/stable/nomicon/references.html), the behaviour of optimized builds is hard to predict.
    ├ Announcement: https://github.com/rust-random/rand/pull/1763
    ├ Solution: Upgrade to >=0.10.1 OR <0.10.0, >=0.9.3 OR <0.9.0, >=0.8.6 (try `cargo update -p rand`)
    ├ rand v0.8.5
      ├── libdd-common v5.0.0
      │   ├── libdd-capabilities-impl v2.0.0
      │   │   ├── libdd-data-pipeline v6.0.0
      │   │   ├── libdd-shared-runtime v1.0.0
      │   │   │   ├── libdd-data-pipeline v6.0.0 (*)
      │   │   │   ├── libdd-telemetry v5.0.1
      │   │   │   │   └── libdd-data-pipeline v6.0.0 (*)
      │   │   │   └── libdd-trace-stats v5.0.0
      │   │   │       └── libdd-data-pipeline v6.0.0 (*)
      │   │   ├── (dev) libdd-telemetry v5.0.1 (*)
      │   │   ├── libdd-trace-stats v5.0.0 (*)
      │   │   └── libdd-trace-utils v8.0.0
      │   │       ├── libdd-data-pipeline v6.0.0 (*)
      │   │       ├── libdd-trace-obfuscation v4.0.0
      │   │       │   └── libdd-trace-stats v5.0.0 (*)
      │   │       ├── libdd-trace-stats v5.0.0 (*)
      │   │       └── (dev) libdd-trace-utils v8.0.0 (*)
      │   ├── libdd-data-pipeline v6.0.0 (*)
      │   ├── libdd-dogstatsd-client v3.0.0
      │   │   └── libdd-data-pipeline v6.0.0 (*)
      │   ├── libdd-shared-runtime v1.0.0 (*)
      │   ├── libdd-telemetry v5.0.1 (*)
      │   ├── libdd-trace-obfuscation v4.0.0 (*)
      │   ├── libdd-trace-stats v5.0.0 (*)
      │   └── libdd-trace-utils v8.0.0 (*)
      ├── (dev) libdd-data-pipeline v6.0.0 (*)
      ├── (dev) libdd-ddsketch v1.0.1
      │   ├── libdd-data-pipeline v6.0.0 (*)
      │   ├── libdd-telemetry v5.0.1 (*)
      │   └── libdd-trace-stats v5.0.0 (*)
      ├── (dev) libdd-trace-normalization v2.0.0
      │   ├── libdd-data-pipeline v6.0.0 (*)
      │   └── libdd-trace-utils v8.0.0 (*)
      ├── (dev) libdd-trace-stats v5.0.0 (*)
      ├── libdd-trace-utils v8.0.0 (*)
      └── proptest v1.5.0
          └── (dev) libdd-tinybytes v1.1.1
              ├── libdd-data-pipeline v6.0.0 (*)
              ├── (dev) libdd-tinybytes v1.1.1 (*)
              └── libdd-trace-utils v8.0.0 (*)

error[vulnerability]: Name constraints for URI names were incorrectly accepted
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:245:1
    │
245 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2026-0098
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0098
    ├ Name constraints for URI names were ignored and therefore accepted.
      
      Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.  URI name constraints are now rejected unconditionally.
      
      Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
      
      This vulnerability is identified as [GHSA-965h-392x-2mh5](https://github.com/rustls/webpki/security/advisories/GHSA-965h-392x-2mh5). Thank you to @1seal for the report.
    ├ Solution: Upgrade to >=0.103.12, <0.104.0-alpha.1 OR >=0.104.0-alpha.6 (try `cargo update -p rustls-webpki`)
    ├ rustls-webpki v0.103.10
      ├── rustls v0.23.37
      │   ├── hyper-rustls v0.27.7
      │   │   └── libdd-common v5.0.0
      │   │       ├── libdd-capabilities-impl v2.0.0
      │   │       │   ├── libdd-data-pipeline v6.0.0
      │   │       │   ├── libdd-shared-runtime v1.0.0
      │   │       │   │   ├── libdd-data-pipeline v6.0.0 (*)
      │   │       │   │   ├── libdd-telemetry v5.0.1
      │   │       │   │   │   └── libdd-data-pipeline v6.0.0 (*)
      │   │       │   │   └── libdd-trace-stats v5.0.0
      │   │       │   │       └── libdd-data-pipeline v6.0.0 (*)
      │   │       │   ├── (dev) libdd-telemetry v5.0.1 (*)
      │   │       │   ├── libdd-trace-stats v5.0.0 (*)
      │   │       │   └── libdd-trace-utils v8.0.0
      │   │       │       ├── libdd-data-pipeline v6.0.0 (*)
      │   │       │       ├── libdd-trace-obfuscation v4.0.0
      │   │       │       │   └── libdd-trace-stats v5.0.0 (*)
      │   │       │       ├── libdd-trace-stats v5.0.0 (*)
      │   │       │       └── (dev) libdd-trace-utils v8.0.0 (*)
      │   │       ├── libdd-data-pipeline v6.0.0 (*)
      │   │       ├── libdd-dogstatsd-client v3.0.0
      │   │       │   └── libdd-data-pipeline v6.0.0 (*)
      │   │       ├── libdd-shared-runtime v1.0.0 (*)
      │   │       ├── libdd-telemetry v5.0.1 (*)
      │   │       ├── libdd-trace-obfuscation v4.0.0 (*)
      │   │       ├── libdd-trace-stats v5.0.0 (*)
      │   │       └── libdd-trace-utils v8.0.0 (*)
      │   ├── libdd-common v5.0.0 (*)
      │   ├── rustls-platform-verifier v0.6.2
      │   │   └── libdd-common v5.0.0 (*)
      │   └── tokio-rustls v0.26.0
      │       ├── hyper-rustls v0.27.7 (*)
      │       └── libdd-common v5.0.0 (*)
      └── rustls-platform-verifier v0.6.2 (*)

error[vulnerability]: Name constraints were accepted for certificates asserting a wildcard name
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:245:1
    │
245 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2026-0099
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0099
    ├ Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name.
      
      This was incorrect because, given a name constraint of `accept.example.com`, `*.example.com` could feasibly allow a name of `reject.example.com` which is outside the constraint.
      This is very similar to [CVE-2025-61727](https://go.dev/issue/76442).
      
      Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
      
      This vulnerability is identified as [GHSA-xgp8-3hg3-c2mh](https://github.com/rustls/webpki/security/advisories/GHSA-xgp8-3hg3-c2mh). Thank you to @1seal for the report.
    ├ Solution: Upgrade to >=0.103.12, <0.104.0-alpha.1 OR >=0.104.0-alpha.6 (try `cargo update -p rustls-webpki`)
    ├ rustls-webpki v0.103.10
      ├── rustls v0.23.37
      │   ├── hyper-rustls v0.27.7
      │   │   └── libdd-common v5.0.0
      │   │       ├── libdd-capabilities-impl v2.0.0
      │   │       │   ├── libdd-data-pipeline v6.0.0
      │   │       │   ├── libdd-shared-runtime v1.0.0
      │   │       │   │   ├── libdd-data-pipeline v6.0.0 (*)
      │   │       │   │   ├── libdd-telemetry v5.0.1
      │   │       │   │   │   └── libdd-data-pipeline v6.0.0 (*)
      │   │       │   │   └── libdd-trace-stats v5.0.0
      │   │       │   │       └── libdd-data-pipeline v6.0.0 (*)
      │   │       │   ├── (dev) libdd-telemetry v5.0.1 (*)
      │   │       │   ├── libdd-trace-stats v5.0.0 (*)
      │   │       │   └── libdd-trace-utils v8.0.0
      │   │       │       ├── libdd-data-pipeline v6.0.0 (*)
      │   │       │       ├── libdd-trace-obfuscation v4.0.0
      │   │       │       │   └── libdd-trace-stats v5.0.0 (*)
      │   │       │       ├── libdd-trace-stats v5.0.0 (*)
      │   │       │       └── (dev) libdd-trace-utils v8.0.0 (*)
      │   │       ├── libdd-data-pipeline v6.0.0 (*)
      │   │       ├── libdd-dogstatsd-client v3.0.0
      │   │       │   └── libdd-data-pipeline v6.0.0 (*)
      │   │       ├── libdd-shared-runtime v1.0.0 (*)
      │   │       ├── libdd-telemetry v5.0.1 (*)
      │   │       ├── libdd-trace-obfuscation v4.0.0 (*)
      │   │       ├── libdd-trace-stats v5.0.0 (*)
      │   │       └── libdd-trace-utils v8.0.0 (*)
      │   ├── libdd-common v5.0.0 (*)
      │   ├── rustls-platform-verifier v0.6.2
      │   │   └── libdd-common v5.0.0 (*)
      │   └── tokio-rustls v0.26.0
      │       ├── hyper-rustls v0.27.7 (*)
      │       └── libdd-common v5.0.0 (*)
      └── rustls-platform-verifier v0.6.2 (*)

error[vulnerability]: Reachable panic in certificate revocation list parsing
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:245:1
    │
245 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2026-0104
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0104
    ├ A panic was reachable when parsing certificate revocation lists via [`BorrowedCertRevocationList::from_der`]
      or [`OwnedCertRevocationList::from_der`].  This was the result of mishandling a syntactically valid empty
      `BIT STRING` appearing in the `onlySomeReasons` element of a `IssuingDistributionPoint` CRL extension.
      
      This panic is reachable prior to a CRL's signature being verified.
      
      Applications that do not use CRLs are not affected.
      
      Thank you to @tynus3 for the report.
    ├ Solution: Upgrade to >=0.103.13, <0.104.0-alpha.1 OR >=0.104.0-alpha.7 (try `cargo update -p rustls-webpki`)
    ├ rustls-webpki v0.103.10
      ├── rustls v0.23.37
      │   ├── hyper-rustls v0.27.7
      │   │   └── libdd-common v5.0.0
      │   │       ├── libdd-capabilities-impl v2.0.0
      │   │       │   ├── libdd-data-pipeline v6.0.0
      │   │       │   ├── libdd-shared-runtime v1.0.0
      │   │       │   │   ├── libdd-data-pipeline v6.0.0 (*)
      │   │       │   │   ├── libdd-telemetry v5.0.1
      │   │       │   │   │   └── libdd-data-pipeline v6.0.0 (*)
      │   │       │   │   └── libdd-trace-stats v5.0.0
      │   │       │   │       └── libdd-data-pipeline v6.0.0 (*)
      │   │       │   ├── (dev) libdd-telemetry v5.0.1 (*)
      │   │       │   ├── libdd-trace-stats v5.0.0 (*)
      │   │       │   └── libdd-trace-utils v8.0.0
      │   │       │       ├── libdd-data-pipeline v6.0.0 (*)
      │   │       │       ├── libdd-trace-obfuscation v4.0.0
      │   │       │       │   └── libdd-trace-stats v5.0.0 (*)
      │   │       │       ├── libdd-trace-stats v5.0.0 (*)
      │   │       │       └── (dev) libdd-trace-utils v8.0.0 (*)
      │   │       ├── libdd-data-pipeline v6.0.0 (*)
      │   │       ├── libdd-dogstatsd-client v3.0.0
      │   │       │   └── libdd-data-pipeline v6.0.0 (*)
      │   │       ├── libdd-shared-runtime v1.0.0 (*)
      │   │       ├── libdd-telemetry v5.0.1 (*)
      │   │       ├── libdd-trace-obfuscation v4.0.0 (*)
      │   │       ├── libdd-trace-stats v5.0.0 (*)
      │   │       └── libdd-trace-utils v8.0.0 (*)
      │   ├── libdd-common v5.0.0 (*)
      │   ├── rustls-platform-verifier v0.6.2
      │   │   └── libdd-common v5.0.0 (*)
      │   └── tokio-rustls v0.26.0
      │       ├── hyper-rustls v0.27.7 (*)
      │       └── libdd-common v5.0.0 (*)
      └── rustls-platform-verifier v0.6.2 (*)

error[vulnerability]: Denial of Service via Stack Exhaustion
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:286:1
    │
286 │ time 0.3.41 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2026-0009
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0009
    ├ ## Impact
      
      When user-provided input is provided to any type that parses with the RFC 2822 format, a denial of
      service attack via stack exhaustion is possible. The attack relies on formally deprecated and
      rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary,
      non-malicious input will never encounter this scenario.
      
      ## Patches
      
      A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned
      rather than exhausting the stack.
      
      ## Workarounds
      
      Limiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of
      the stack consumed would be at most a factor of the length of the input.
    ├ Announcement: https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05
    ├ Solution: Upgrade to >=0.3.47 (try `cargo update -p time`)
    ├ time v0.3.41
      └── tracing-appender v0.2.3
          └── libdd-log v1.0.0
              └── (dev) libdd-data-pipeline v6.0.0

advisories FAILED, bans ok, sources ok

📦 libdd-telemetry-ffi - 5 error(s)

Show output

error[unmaintained]: paste - no longer maintained
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:174:1
    │
174 │ paste 1.0.15 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unmaintained advisory detected
    │
    ├ ID: RUSTSEC-2024-0436
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0436
    ├ The creator of the crate `paste` has stated in the [`README.md`](https://github.com/dtolnay/paste/blob/master/README.md) 
      that this project is not longer maintained as well as archived the repository
      
      ## Possible Alternative(s)
      
      - [`pastey`]: a fork of paste and is aimed to be a drop-in replacement with additional features for paste crate
      - [`with_builtin_macros`]: crate providing a [superset of `paste`'s functionality including general `macro_rules!` eager expansions](https://docs.rs/with_builtin_macros/0.1.0/with_builtin_macros/macro.with_eager_expansions.html)  and `concat!`/`concat_idents!` macros
      
      [`pastey`]: https://crates.io/crates/pastey
      [`with_builtin_macros`]: https://crates.io/crates/with_builtin_macros
    ├ Announcement: https://github.com/dtolnay/paste
    ├ Solution: No safe upgrade is available!
    ├ paste v1.0.15
      └── libdd-telemetry-ffi v36.0.0

error[unsound]: Rand is unsound with a custom logger using `rand::rng()`
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:194:1
    │
194 │ rand 0.8.5 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unsound advisory detected
    │
    ├ ID: RUSTSEC-2026-0097
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0097
    ├ It has been reported (by @lopopolo) that the `rand` library is [unsound](https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#soundness-of-code--of-a-library) (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:
      
      - The `log` and `thread_rng` features are enabled
      - A [custom logger](https://docs.rs/log/latest/log/#implementing-a-logger) is defined
      - The custom logger accesses `rand::rng()` (previously `rand::thread_rng()`) and calls any `TryRng` (previously `RngCore`) methods on `ThreadRng`
      - The `ThreadRng` (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data)
      - Trace-level logging is enabled or warn-level logging is enabled and the random source (the `getrandom` crate) is unable to provide a new seed
      
      `TryRng` (previously `RngCore`) methods for `ThreadRng` use `unsafe` code to cast `*mut BlockRng<ReseedingCore>` to `&mut BlockRng<ReseedingCore>`. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of [aliased mutable references is Undefined Behaviour](https://doc.rust-lang.org/stable/nomicon/references.html), the behaviour of optimized builds is hard to predict.
    ├ Announcement: https://github.com/rust-random/rand/pull/1763
    ├ Solution: Upgrade to >=0.10.1 OR <0.10.0, >=0.9.3 OR <0.9.0, >=0.8.6 (try `cargo update -p rand`)
    ├ rand v0.8.5
      ├── libdd-common v5.0.0
      │   ├── libdd-capabilities-impl v2.0.0
      │   │   ├── libdd-shared-runtime v1.0.0
      │   │   │   └── libdd-telemetry v5.0.1
      │   │   │       └── libdd-telemetry-ffi v36.0.0
      │   │   ├── (dev) libdd-telemetry v5.0.1 (*)
      │   │   └── libdd-telemetry-ffi v36.0.0 (*)
      │   ├── libdd-common-ffi v36.0.0
      │   │   └── libdd-telemetry-ffi v36.0.0 (*)
      │   ├── libdd-shared-runtime v1.0.0 (*)
      │   ├── libdd-telemetry v5.0.1 (*)
      │   └── libdd-telemetry-ffi v36.0.0 (*)
      └── (dev) libdd-ddsketch v1.0.1
          └── libdd-telemetry v5.0.1 (*)

error[vulnerability]: Name constraints for URI names were incorrectly accepted
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:214:1
    │
214 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2026-0098
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0098
    ├ Name constraints for URI names were ignored and therefore accepted.
      
      Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.  URI name constraints are now rejected unconditionally.
      
      Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
      
      This vulnerability is identified as [GHSA-965h-392x-2mh5](https://github.com/rustls/webpki/security/advisories/GHSA-965h-392x-2mh5). Thank you to @1seal for the report.
    ├ Solution: Upgrade to >=0.103.12, <0.104.0-alpha.1 OR >=0.104.0-alpha.6 (try `cargo update -p rustls-webpki`)
    ├ rustls-webpki v0.103.10
      ├── rustls v0.23.37
      │   ├── hyper-rustls v0.27.7
      │   │   └── libdd-common v5.0.0
      │   │       ├── libdd-capabilities-impl v2.0.0
      │   │       │   ├── libdd-shared-runtime v1.0.0
      │   │       │   │   └── libdd-telemetry v5.0.1
      │   │       │   │       └── libdd-telemetry-ffi v36.0.0
      │   │       │   ├── (dev) libdd-telemetry v5.0.1 (*)
      │   │       │   └── libdd-telemetry-ffi v36.0.0 (*)
      │   │       ├── libdd-common-ffi v36.0.0
      │   │       │   └── libdd-telemetry-ffi v36.0.0 (*)
      │   │       ├── libdd-shared-runtime v1.0.0 (*)
      │   │       ├── libdd-telemetry v5.0.1 (*)
      │   │       └── libdd-telemetry-ffi v36.0.0 (*)
      │   ├── libdd-common v5.0.0 (*)
      │   ├── rustls-platform-verifier v0.6.2
      │   │   └── libdd-common v5.0.0 (*)
      │   └── tokio-rustls v0.26.0
      │       ├── hyper-rustls v0.27.7 (*)
      │       └── libdd-common v5.0.0 (*)
      └── rustls-platform-verifier v0.6.2 (*)

error[vulnerability]: Name constraints were accepted for certificates asserting a wildcard name
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:214:1
    │
214 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2026-0099
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0099
    ├ Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name.
      
      This was incorrect because, given a name constraint of `accept.example.com`, `*.example.com` could feasibly allow a name of `reject.example.com` which is outside the constraint.
      This is very similar to [CVE-2025-61727](https://go.dev/issue/76442).
      
      Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
      
      This vulnerability is identified as [GHSA-xgp8-3hg3-c2mh](https://github.com/rustls/webpki/security/advisories/GHSA-xgp8-3hg3-c2mh). Thank you to @1seal for the report.
    ├ Solution: Upgrade to >=0.103.12, <0.104.0-alpha.1 OR >=0.104.0-alpha.6 (try `cargo update -p rustls-webpki`)
    ├ rustls-webpki v0.103.10
      ├── rustls v0.23.37
      │   ├── hyper-rustls v0.27.7
      │   │   └── libdd-common v5.0.0
      │   │       ├── libdd-capabilities-impl v2.0.0
      │   │       │   ├── libdd-shared-runtime v1.0.0
      │   │       │   │   └── libdd-telemetry v5.0.1
      │   │       │   │       └── libdd-telemetry-ffi v36.0.0
      │   │       │   ├── (dev) libdd-telemetry v5.0.1 (*)
      │   │       │   └── libdd-telemetry-ffi v36.0.0 (*)
      │   │       ├── libdd-common-ffi v36.0.0
      │   │       │   └── libdd-telemetry-ffi v36.0.0 (*)
      │   │       ├── libdd-shared-runtime v1.0.0 (*)
      │   │       ├── libdd-telemetry v5.0.1 (*)
      │   │       └── libdd-telemetry-ffi v36.0.0 (*)
      │   ├── libdd-common v5.0.0 (*)
      │   ├── rustls-platform-verifier v0.6.2
      │   │   └── libdd-common v5.0.0 (*)
      │   └── tokio-rustls v0.26.0
      │       ├── hyper-rustls v0.27.7 (*)
      │       └── libdd-common v5.0.0 (*)
      └── rustls-platform-verifier v0.6.2 (*)

error[vulnerability]: Reachable panic in certificate revocation list parsing
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:214:1
    │
214 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2026-0104
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0104
    ├ A panic was reachable when parsing certificate revocation lists via [`BorrowedCertRevocationList::from_der`]
      or [`OwnedCertRevocationList::from_der`].  This was the result of mishandling a syntactically valid empty
      `BIT STRING` appearing in the `onlySomeReasons` element of a `IssuingDistributionPoint` CRL extension.
      
      This panic is reachable prior to a CRL's signature being verified.
      
      Applications that do not use CRLs are not affected.
      
      Thank you to @tynus3 for the report.
    ├ Solution: Upgrade to >=0.103.13, <0.104.0-alpha.1 OR >=0.104.0-alpha.7 (try `cargo update -p rustls-webpki`)
    ├ rustls-webpki v0.103.10
      ├── rustls v0.23.37
      │   ├── hyper-rustls v0.27.7
      │   │   └── libdd-common v5.0.0
      │   │       ├── libdd-capabilities-impl v2.0.0
      │   │       │   ├── libdd-shared-runtime v1.0.0
      │   │       │   │   └── libdd-telemetry v5.0.1
      │   │       │   │       └── libdd-telemetry-ffi v36.0.0
      │   │       │   ├── (dev) libdd-telemetry v5.0.1 (*)
      │   │       │   └── libdd-telemetry-ffi v36.0.0 (*)
      │   │       ├── libdd-common-ffi v36.0.0
      │   │       │   └── libdd-telemetry-ffi v36.0.0 (*)
      │   │       ├── libdd-shared-runtime v1.0.0 (*)
      │   │       ├── libdd-telemetry v5.0.1 (*)
      │   │       └── libdd-telemetry-ffi v36.0.0 (*)
      │   ├── libdd-common v5.0.0 (*)
      │   ├── rustls-platform-verifier v0.6.2
      │   │   └── libdd-common v5.0.0 (*)
      │   └── tokio-rustls v0.26.0
      │       ├── hyper-rustls v0.27.7 (*)
      │       └── libdd-common v5.0.0 (*)
      └── rustls-platform-verifier v0.6.2 (*)

advisories FAILED, bans ok, sources ok

📦 libdd-telemetry - 4 error(s)

Show output

error[unsound]: Rand is unsound with a custom logger using `rand::rng()`
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:163:1
    │
163 │ rand 0.8.5 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unsound advisory detected
    │
    ├ ID: RUSTSEC-2026-0097
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0097
    ├ It has been reported (by @lopopolo) that the `rand` library is [unsound](https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#soundness-of-code--of-a-library) (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:
      
      - The `log` and `thread_rng` features are enabled
      - A [custom logger](https://docs.rs/log/latest/log/#implementing-a-logger) is defined
      - The custom logger accesses `rand::rng()` (previously `rand::thread_rng()`) and calls any `TryRng` (previously `RngCore`) methods on `ThreadRng`
      - The `ThreadRng` (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data)
      - Trace-level logging is enabled or warn-level logging is enabled and the random source (the `getrandom` crate) is unable to provide a new seed
      
      `TryRng` (previously `R...*[Comment body truncated]*