Skip to content

Update transitive deps and fix 2 security advisories (protobuf, tungstenite)#6381

Draft
ndr-ds wants to merge 1 commit into
mainfrom
ndr-ds/cargo-update-security
Draft

Update transitive deps and fix 2 security advisories (protobuf, tungstenite)#6381
ndr-ds wants to merge 1 commit into
mainfrom
ndr-ds/cargo-update-security

Conversation

@ndr-ds

@ndr-ds ndr-ds commented May 25, 2026

Copy link
Copy Markdown
Contributor

Motivation

Address open security advisories in the main workspace dependency tree and bring all transitive dependencies up to their latest semver-compatible versions.

Proposal

  1. cargo update — refreshes ~200 transitive dependencies to their latest semver-compatible versions, with no API changes required.

  2. async-tungstenite 0.22 → 0.28 + graphql-ws-client 0.5 → 0.13 — closes RUSTSEC-2023-0065 (remote DoS via malformed WebSocket frame, CVSS 7.5). The advisory requires tungstenite >= 0.20.1; the workspace now resolves tungstenite 0.24 everywhere, eliminating the vulnerable 0.19.0.

    • linera-service's two call sites (connect_async, IntoClientRequest) are unaffected by the API evolution.
    • linera-indexer previously pinned async-tungstenite 0.22 (→ vulnerable tungstenite 0.19) because graphql-ws-client 0.5 hard-depends on it. Upgrading to graphql-ws-client 0.13 (new runtime-agnostic Client::build(connection).subscribe(op) API; no more TokioSpawner / split sink-stream) removes that pin. This in turn requires graphql_client 0.13 → 0.16 in the four crates that share the generated query types (linera-indexer-graphql-client, linera-indexer, linera-service-graphql-client, linera-explorer).
  3. prometheus = { …, default-features = false } — the protobuf default feature pulls in protobuf 2.28.0 (used only for Prometheus push-gateway encoding, which we don't use). Disabling the default feature drops the dep entirely and closes RUSTSEC-2024-0437 (uncontrolled recursion crash in protobuf 2.x).

Notes

  • The alloy ecosystem is held at 1.0.42 (and the alloy-sol-types cluster at 1.5.7): the broad cargo update would bump alloy-network to 1.8.3, whose blanket impl<N> NetworkWallet<N> for EthereumWallet conflicts with op-alloy-network 0.22.0's impl NetworkWallet<Optimism>. No 0.22.x of op-alloy-network avoids this; the next release requires alloy 2.x. The pins keep linera-bridge compiling.
  • Examples and linera-sdk/tests/fixtures lockfiles only change by the removal of protobuf (a ripple of the prometheus feature change); their dependency trees are otherwise untouched.

Remaining advisories not addressed here (require larger refactors, tracked separately):

  • RUSTSEC-2023-0071: rsa via sqlx-mysql — no upstream fix available
  • RUSTSEC-2026-0098/0099/0104: rustls-webpki 0.101.x via reqwest 0.11 + kube 0.88 — needs reqwest 0.11→0.12 + kube upgrade
  • RUSTSEC-2025-0055: tracing-subscriber 0.2.x via ark-bn254/revm — needs ark crate upgrade

Test Plan

  • cargo check --workspace --locked passes (main + examples + fixtures workspaces).
  • RUSTFLAGS="-D warnings" cargo clippy --workspace --all-targets --locked passes.
  • cargo audit no longer reports RUSTSEC-2023-0065 or RUSTSEC-2024-0437 (tungstenite 0.19.0 and protobuf are gone from the tree).
  • CI covers the rest.

Release Plan

  • Nothing to do / These changes follow the usual release cycle.

Links

@ndr-ds ndr-ds marked this pull request as draft May 26, 2026 00:05
@ndr-ds ndr-ds force-pushed the ndr-ds/cargo-update-security branch 3 times, most recently from 09c6da4 to 02b22c2 Compare May 29, 2026 20:06
…stenite) and RUSTSEC-2024-0437 (drop protobuf)
@ndr-ds ndr-ds force-pushed the ndr-ds/cargo-update-security branch from 02b22c2 to 3ea54ee Compare May 30, 2026 02:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant