Update transitive deps and fix 2 security advisories (protobuf, tungstenite)#6381
Draft
ndr-ds wants to merge 1 commit into
Draft
Update transitive deps and fix 2 security advisories (protobuf, tungstenite)#6381ndr-ds wants to merge 1 commit into
ndr-ds wants to merge 1 commit into
Conversation
09c6da4 to
02b22c2
Compare
…stenite) and RUSTSEC-2024-0437 (drop protobuf)
02b22c2 to
3ea54ee
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Address open security advisories in the main workspace dependency tree and bring all transitive dependencies up to their latest semver-compatible versions.
Proposal
cargo update— refreshes ~200 transitive dependencies to their latest semver-compatible versions, with no API changes required.async-tungstenite0.22 → 0.28 +graphql-ws-client0.5 → 0.13 — closes RUSTSEC-2023-0065 (remote DoS via malformed WebSocket frame, CVSS 7.5). The advisory requirestungstenite >= 0.20.1; the workspace now resolvestungstenite 0.24everywhere, eliminating the vulnerable 0.19.0.linera-service's two call sites (connect_async,IntoClientRequest) are unaffected by the API evolution.linera-indexerpreviously pinnedasync-tungstenite 0.22(→ vulnerabletungstenite 0.19) becausegraphql-ws-client 0.5hard-depends on it. Upgrading tographql-ws-client 0.13(new runtime-agnosticClient::build(connection).subscribe(op)API; no moreTokioSpawner/ split sink-stream) removes that pin. This in turn requiresgraphql_client 0.13 → 0.16in the four crates that share the generated query types (linera-indexer-graphql-client,linera-indexer,linera-service-graphql-client,linera-explorer).prometheus = { …, default-features = false }— theprotobufdefault feature pulls inprotobuf 2.28.0(used only for Prometheus push-gateway encoding, which we don't use). Disabling the default feature drops the dep entirely and closes RUSTSEC-2024-0437 (uncontrolled recursion crash in protobuf 2.x).Notes
alloyecosystem is held at1.0.42(and thealloy-sol-typescluster at1.5.7): the broadcargo updatewould bumpalloy-networkto 1.8.3, whose blanketimpl<N> NetworkWallet<N> for EthereumWalletconflicts withop-alloy-network 0.22.0'simpl NetworkWallet<Optimism>. No 0.22.x of op-alloy-network avoids this; the next release requires alloy 2.x. The pins keeplinera-bridgecompiling.linera-sdk/tests/fixtureslockfiles only change by the removal ofprotobuf(a ripple of theprometheusfeature change); their dependency trees are otherwise untouched.Remaining advisories not addressed here (require larger refactors, tracked separately):
rsaviasqlx-mysql— no upstream fix availablerustls-webpki 0.101.xviareqwest 0.11+kube 0.88— needs reqwest 0.11→0.12 + kube upgradetracing-subscriber 0.2.xviaark-bn254/revm— needs ark crate upgradeTest Plan
cargo check --workspace --lockedpasses (main + examples + fixtures workspaces).RUSTFLAGS="-D warnings" cargo clippy --workspace --all-targets --lockedpasses.cargo auditno longer reports RUSTSEC-2023-0065 or RUSTSEC-2024-0437 (tungstenite 0.19.0andprotobufare gone from the tree).Release Plan
Links