Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

resolve cargo audit warns and dedupe few deps #2034

Merged
merged 7 commits into from
Jan 22, 2025
Merged

resolve cargo audit warns and dedupe few deps #2034

merged 7 commits into from
Jan 22, 2025

Conversation

klensy
Copy link
Contributor

@klensy klensy commented Jan 22, 2025

See commits. Sadly, idna pulled big tree of new deps.

klensy added 3 commits January 22, 2025 15:20
@klensy
bump few deps to resolve cargo audit
c64cc8c 
Crate:     ruzstd
Version:   0.7.0
Title:     `ruzstd` uninit and out-of-bounds memory reads
Date:      2024-11-28
ID:        RUSTSEC-2024-0400
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0400
Solution:  Upgrade to >=0.7.3

Crate:     openssl
Version:   0.10.64
Title:     `MemBio::get_buf` has undefined behavior with empty buffers
Date:      2024-07-21
ID:        RUSTSEC-2024-0357
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0357
Solution:  Upgrade to >=0.10.66

Crate:     instant
Version:   0.1.12
Warning:   unmaintained
Title:     `instant` is unmaintained
Date:      2024-09-01
ID:        RUSTSEC-2024-0384
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0384

bumped tempfile to remove instant

Crate:     futures-util
Version:   0.3.27
Warning:   yanked

bumped futures* to fix 0.3.27 yank
@klensy
bump reqwest
677929a 
cargo update -p reqwest
    Updating crates.io index
     Locking 6 packages to latest compatible versions
    Updating reqwest v0.11.14 -> v0.11.27 (available: v0.12.12)
      Adding rustls-pemfile v1.0.4
      Adding sync_wrapper v0.1.2
      Adding system-configuration v0.5.1
      Adding system-configuration-sys v0.5.0
    Updating winreg v0.10.1 -> v0.50.0
@klensy
fix idna warn
cda0e7b 
Crate:     idna
Version:   0.3.0
Title:     `idna` accepts Punycode labels that do not produce any non-ASCII when decoded
Date:      2024-12-09
ID:        RUSTSEC-2024-0421
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0421
Solution:  Upgrade to >=1.0.0

bumped idna, url, smallvec
@Kobzol
Copy link
Contributor

Kobzol commented Jan 22, 2025

Thanks! I checked this and it adds like 20 new packages though 😞 Could we keep just the RUSTSEC updates, i.e. basically the first and third commits? That on its own actually reduces the package count by a few.

@klensy
Copy link
Contributor Author

klensy commented Jan 22, 2025
edited
Loading

Thanks! I checked this and it adds like 20 new packages though 😞 Could we keep just the RUSTSEC updates, i.e. basically the first and third commits? That on its own actually reduces the package count by a few.

Yes, this is:

Sadly, idna pulled big tree of new deps.

reqwest bump required for idna bump (i've tried and it didn't worked without url -> reqwest bump):
(you can check 3rd commit - most new deps from it)

idna v1.0.3
└── url v2.5.4
    ├── reqwest v0.11.27

I've dropped clap bump and killed few windows deps, should be better (redox deps unused anyway)

@Kobzol
Copy link
Contributor

Kobzol commented Jan 22, 2025

I tried this: cargo update ruzstd openssl tempfile futures-util idna and that resulted in 4 less packages for cargo build -p collector.

@klensy
Copy link
Contributor Author

klensy commented Jan 22, 2025

cargo update ruzstd openssl tempfile futures-util idna

Yes, because your update didn't update idna :-)

@Kobzol
Copy link
Contributor

Kobzol commented Jan 22, 2025

I see. I mean, the idna vulnerability doesn't exactly look terrifying, but so be it.

Thanks!

@Kobzol Kobzol merged commit d2e21ee into rust-lang:master Jan 22, 2025
11 checks passed
@klensy
Copy link
Contributor Author

klensy commented Jan 22, 2025

I see. I mean, the idna vulnerability doesn't exactly look terrifying, but so be it.

Thanks!

Yes, didn't look that scary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Kobzol Kobzol Kobzol approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@klensy @Kobzol