Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade crates with known vulnerabilities #2560

Merged
merged 2 commits into from
Mar 25, 2024
Merged

Upgrade crates with known vulnerabilities #2560

merged 2 commits into from
Mar 25, 2024

Conversation

m-lord-renkse
Copy link
Contributor

Description

Upgrade crates with known vulnerabilities

Changes

Several crates have been updated to avoid known vulnerabilities

How to test

  1. Regression tests passing

@m-lord-renkse m-lord-renkse requested a review from a team as a code owner March 22, 2024 12:10
m-lord-renkse
m-lord-renkse commented Mar 22, 2024
View reviewed changes
Cargo.lock
dependencies = [
"ring",
"untrusted",
]

[[package]]
name = "whoami"
version = "1.4.1"
version = "1.5.0"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://rustsec.org/advisories/RUSTSEC-2024-0020

m-lord-renkse
m-lord-renkse commented Mar 22, 2024
View reviewed changes
Cargo.lock
@@ -5215,19 +5230,23 @@ dependencies = [

[[package]]
name = "webpki"
version = "0.22.0"
version = "0.22.2"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://rustsec.org/advisories/RUSTSEC-2023-0052

m-lord-renkse
m-lord-renkse commented Mar 22, 2024
View reviewed changes
Cargo.lock
@@ -3779,9 +3788,9 @@ dependencies = [

[[package]]
name = "rustls-webpki"
version = "0.101.3"
version = "0.101.4"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://rustsec.org/advisories/RUSTSEC-2023-0053

m-lord-renkse
m-lord-renkse commented Mar 22, 2024
View reviewed changes
Cargo.lock
@@ -3081,11 +3081,11 @@ checksum = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d"

[[package]]
name = "openssl"
version = "0.10.56"
version = "0.10.64"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://rustsec.org/advisories/RUSTSEC-2023-0072

m-lord-renkse
m-lord-renkse commented Mar 22, 2024
View reviewed changes
crates/observe/Cargo.toml
@@ -6,7 +6,7 @@ edition = "2021"
license = "MIT OR Apache-2.0"

[dependencies]
atty = "0.2"
atty = "0.2.14"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://rustsec.org/advisories/RUSTSEC-2021-0145 (still not solved with this update, they are working on it)

m-lord-renkse
m-lord-renkse commented Mar 22, 2024
View reviewed changes
Cargo.lock
@@ -2204,17 +2204,17 @@ checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b"

[[package]]
name = "h2"
version = "0.3.20"
version = "0.3.25"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://rustsec.org/advisories/RUSTSEC-2024-0003

m-lord-renkse
m-lord-renkse commented Mar 22, 2024
View reviewed changes
Cargo.lock
@@ -2808,9 +2808,9 @@ dependencies = [

[[package]]
name = "mio"
version = "0.8.8"
version = "0.8.11"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://rustsec.org/advisories/RUSTSEC-2024-0019

@squadgazzz
Copy link
Contributor

Not sure about upgrading transitive dependencies directly through the cargo.lock. How about upgrading libs from the cargo.toml that import outdated dependencies?

@m-lord-renkse
Copy link
Contributor Author

m-lord-renkse commented Mar 22, 2024
edited
Loading

Not sure about upgrading transitive dependencies directly through the cargo.lock. How about upgrading libs from the cargo.toml that import outdated dependencies?

Updating dependencies in .lock file when it is minor versions is totally fine (I don't modify the file itself, I do cargo update X) and recommendable for the cases in which the parent crate didn't release a fix yet (which is very common sadly). I did it like that so I am not doing too many changes, but I am happy to bump all those crates to newest version!

@squadgazzz for example, the dependency whoami, if you update sqlx, you are forced to update chrono (which has breaking changes btw), and then, the whoami version will still be 1.4.1. Not good. But again, I am more than happy to bump all the crates if necessary!

Another reason why it is safe. Remove Cargo.lock (as if the project was brand new), and compile, you will see... (ignore chrono :D)

MartinquaXD
MartinquaXD approved these changes Mar 22, 2024
View reviewed changes
Copy link
Contributor

@MartinquaXD MartinquaXD left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice initiative!
BTW there is also cargo audit fix which adds a lot of additional changes to the lockfile. Did you consider using that instead?

@m-lord-renkse
Copy link
Contributor Author

Nice initiative! BTW there is also cargo audit fix which adds a lot of additional changes to the lockfile. Did you consider using that instead?

umm first time I heard of cargo audit fix, I don't see it in the docs 🤔 do you know how is it used? it would be really nice indeed

@MartinquaXD
Copy link
Contributor

It's a separate command that can be added to cargo itself. More information can be found here: https://crates.io/crates/cargo-audit

@m-lord-renkse
Copy link
Contributor Author

It's a separate command that can be added to cargo itself. More information can be found here: https://crates.io/crates/cargo-audit

ah I has to be installed with a feature flag, I see. I didn't know, thanks!! I did it and it didn't update anything else besides what I updated in this PR.

@m-lord-renkse m-lord-renkse merged commit 48ad4c9 into main Mar 25, 2024
9 checks passed
@m-lord-renkse m-lord-renkse deleted the update-crate-to-avoid-vuln branch March 25, 2024 14:52
@github-actions github-actions bot locked and limited conversation to collaborators Mar 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@MartinquaXD MartinquaXD MartinquaXD approved these changes

@squadgazzz squadgazzz squadgazzz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@m-lord-renkse @squadgazzz @MartinquaXD