Rust CI Pipeline Missing Dependency Vulnerability Scanning: Transitive CVEs in ureq, image, rten, rayon Go Undetected

A security audit has identified a critical gap in the CI pipeline of a Rust project: the workflow at `.github/workflows/rust.yml` runs standard checks including fmt, build, clippy, and test, but entirely omits dependency vulnerability scanning. The absence of tools like `cargo audit` or `cargo deny` means known CVEs in transitive dependencies can be merged without detection. Four specific dependencies have been flagged as potentially affected: ureq, image, rten, and rayon.

The issue report highlights ureq as a particularly high-value target. This HTTP client handles model download operations, meaning a TLS or HTTP parser vulnerability in ureq could be exploited during the model-download flow. The risk is compounded by the fact that no automated license or dependency policy check exists either, leaving the project without visibility into the security posture of its software supply chain.

Security reviewers recommend adding a dedicated security audit step using `cargo audit` to scan for known vulnerabilities, and `cargo deny` to enforce dependency policies. A sample `deny.toml` configuration has been proposed, blocking vulnerable or yanked dependencies while warning on unmaintained ones. Until implemented, any known CVE in the affected dependencies could enter production undetected.