dep: update rumqttd/rumqttc to resolve RUSTSEC-2026-0049 (rustls-webpki)

## Context

`cargo audit` fails due to [RUSTSEC-2026-0049](https://rustsec.org/advisories/RUSTSEC-2026-0049) — a CRL matching logic bug in `rustls-webpki <0.103.10`.

Both `rumqttd 0.20.0` and `rumqttc 0.25.1` (the latest on crates.io) depend on `rustls 0.22` / `rustls-webpki 0.102.x`, so we can't resolve this with a simple `cargo update`.

## Impact

**None for us.** The vulnerability is in CRL (Certificate Revocation List) matching logic, which is opt-in. Our MQTT client uses `Transport::Tls(Default::default())` with no custom CRL configuration, so the faulty code path is never hit.

## Upstream

- [bytebeamio/rumqtt#1037](https://github.com/bytebeamio/rumqtt/pull/1037) — PR to bump rustls-webpki and tokio-rustls (opened 2026-03-23, not yet merged)
- [bytebeamio/rumqtt#1029](https://github.com/bytebeamio/rumqtt/issues/1029) — maintained fork discussion

## Current workaround

Advisory is suppressed in `.cargo/audit.toml`. Remove the ignore entry once upstream publishes a fixed version.

## Action items

- [ ] Watch for a new `rumqttd` / `rumqttc` release with `rustls-webpki >=0.103.10`
- [ ] Update `Cargo.toml` workspace deps
- [ ] Remove the `RUSTSEC-2026-0049` ignore from `.cargo/audit.toml`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

dep: update rumqttd/rumqttc to resolve RUSTSEC-2026-0049 (rustls-webpki) #2

Context

Impact

Upstream

Current workaround

Action items

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

dep: update rumqttd/rumqttc to resolve RUSTSEC-2026-0049 (rustls-webpki) #2

Description

Context

Impact

Upstream

Current workaround

Action items

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions