RustSec flags audiopus_sys as unmaintained, build failures loom with CMake 4.0
RustSec just flagged audiopus_sys as unmaintained, and CMake 4.0 can already break builds. The risk is a failing audio stack, not a CVE.
The problem with audiopus_sys is not a flashy exploit. It is the quieter failure mode that wrecks builds, stalls releases, and leaves an audio stack stranded the moment a toolchain moves on.
RustSec added RUSTSEC-2026-0150 as an informational advisory for audiopus_sys on May 22, 2026, and the note reads like a maintenance postmortem. The advisory says the maintainer was contacted on June 10, 2025 and never replied. A separate pull request opened in 2025 to address the CMake 4.0 breakage also went unanswered. RustSec says the last commit landed five years ago, which is why the crate now sits in the awkward category of software that appears stable until the environment around it changes.

That change has already arrived. A GitHub issue titled “Can’t build audiopus_sys with new CMake due to version 3.5 deprecation” was opened on June 8, 2025, after users found that crates depending on audiopus_sys failed to compile on systems with CMake 4.0 or newer. The repository README describes audiopus_sys as an FFI Rust binding to Opus 1.3, originally created to help serenity build audio features on Windows, Linux, and macOS. It also says building Opus requires CMake, with pkg-config tried first if available, which turns CMake compatibility into a direct build requirement rather than an optional convenience.
That is why an informational advisory still demands action. If audiopus_sys is anywhere in the tree, directly or through another crate, the next environment refresh can turn into a hard failure in CI, packaging, or production builds. There is no patched version listed in RustSec, so the path forward is not “upgrade and move on.” The options are to replace the crate, fork it, or change the project’s Opus integration strategy before CMake 4.0 becomes the default in a build environment and the breakage lands at the worst possible time.
The maintenance warning is reinforced by another GitHub issue that questioned the project’s status and pointed to four years without commits or responses to issues and pull requests. CMake 4.0’s release notes make the rest of the picture clear: major releases can remove deprecated behavior, and a sys crate that has not kept pace can stop compiling overnight. For Rust audio stacks, that is the real dependency risk here, a build that used to pass suddenly going red because nobody was left to keep the bridge intact.
This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.
Did this article answer your question?


