RustSec marks ttf-parser unmaintained, points Rust users to skrifa
RustSec has marked ttf-parser unmaintained, turning a routine font crate into a migration decision for Rust text stacks. skrifa is now the named replacement.
RustSec has marked ttf-parser unmaintained in advisory RUSTSEC-2026-0192, and the warning lands squarely on Rust projects that parse fonts inside layout and rendering pipelines. The advisory was reported on June 28, 2026 and issued on June 29, 2026, with OSV listing it as published on June 28 and modified the next day.
The advisory is classified as INFO, which makes the signal clear: this is not a conventional exploit alert, but a maintenance and supply-chain notice. RustSec says the crate’s author has stated that no further fixes will be provided, so downstream users should no longer plan on future security patches or bug fixes from the upstream project.

That matters because ttf-parser sits deep in places Rust developers depend on every day. Its documentation describes it as a high-level, safe, zero-allocation parser for TrueType, OpenType, and AAT fonts, which puts it in the path for text rendering engines, font inspection tools, GUI stacks, and any application that needs to read glyph and metadata structures. Once a parser like that goes unmaintained, the decision is no longer just about whether the code still works today. It becomes a question of whether the crate will keep pace with parser hardening, spec changes, and the expectations of security review.
RustSec points users toward skrifa as the alternative, and that is where the migration work starts. skrifa is an actively maintained TrueType and OpenType parser from Google Fonts’ fontations project, which currently includes four main library crates: font-types, read-fonts, write-fonts, and skrifa. The project says it was built to provide more robust and performant open tools for font engineering and production tasks, while skrifa itself describes a robust, ergonomic, high-performance library for reading OpenType fonts built on top of the lower-level read-fonts parser.
For teams deciding whether to stay put or move, the practical questions are immediate: where does ttf-parser appear in the dependency tree, what parts of the text stack consume its API, and how much code depends on its zero-allocation behavior or its current parsing surface. The advisory does not demand an emergency rewrite, but it does turn compatibility testing into work that cannot wait for the next upstream surprise.
The same-day reaction in downstream issue trackers shows how quickly the warning is being taken seriously. Tauri issue #15607 and wgpu_playground issue #406 both flagged the dependency for replacement work, which is exactly the kind of response RustSec’s notice is meant to trigger. For projects built around ttf-parser’s fast, safe font inspection path, the real story is not the label itself. It is the clock that starts running once an unmaintained parser becomes part of a shipped product.
This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.
Did this article answer your question?


