From ec4a689a305a4605036735328e8a5f02d1b54110 Mon Sep 17 00:00:00 2001
From: John Vandenberg <jayvdb@gmail.com>
Date: Mon, 17 Nov 2025 10:32:48 +0800
Subject: [PATCH] Mark hexchat unsound and unmaintained

---
 crates/hexchat/RUSTSEC-0000-0000.md | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 crates/hexchat/RUSTSEC-0000-0000.md

diff --git a/crates/hexchat/RUSTSEC-0000-0000.md b/crates/hexchat/RUSTSEC-0000-0000.md
new file mode 100644
index 000000000..f00ef11f3
--- /dev/null
+++ b/crates/hexchat/RUSTSEC-0000-0000.md
@@ -0,0 +1,26 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "hexchat"
+date = "2025-11-17"
+url = "https://github.com/pie-flavor/hexchat-rs/issues/3"
+categories = ["memory-corruption", "memory-exposure"]
+keywords = ["memory-safety"]
+informational = "unsound"
+
+[versions]
+patched = []
+```
+
+# hexchat crate is unsound and unmaintained
+
+All versions of this crate have function `deregister_command` which can result in use after free.
+This is unsound.
+
+In addition, all versions since 0.3.0 have "safe" macros, which are documented as unsafe to use in threads.
+
+In addition, the `hexchat` crate is no longer actively maintained.  If you rely on this crate, consider switching to a recommended alternative.
+
+## Recommended alternatives
+
+- [`hexavalent`](https://crates.io/crates/hexavalent)
\ No newline at end of file