change(deps): Update dependencies that only appear in the lock file #6217
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
teor2345
added
C-bug
github-actions
bot
added
C-enhancement
This comment was marked as outdated.
This comment was marked as outdated.
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #6217 +/- ##
=======================================
Coverage 77.64% 77.65%
=======================================
Files 304 304
Lines 39583 39532 -51
=======================================
- Hits 30736 30698 -38
+ Misses 8847 8834 -13 |
mpguerra
requested review from
arya2 and
oxarbitrage
and removed request for
upbqdn
teor2345
removed
the
C-trivial
teor2345
commented
Feb 26, 2023
github-actions
bot
added
the
C-trivial
teor2345
removed
C-enhancement
teor2345
force-pushed
the
cargo-update-2023-02-24
branch
from
6f0700d
to
78f6326
Compare
github-actions
bot
added
C-enhancement
|
I think we should do this during Sprint 6. Do we want to review each dependency updated? It seems like a huge task and everyone in the team would have to review 30 or so dependencies to check... If it's just a case of reviewing your method and the list to be updated it makes sense to have 2 people doing so and we should still wait until Sprint 6 to do so. |
We wouldn't normally review these dependencies, because they are transitive dependencies (dependencies of our direct dependencies). Usually we do a quick review of direct dependencies, and assume any changes they have made to their own dependencies are ok.
I think that's a good way to review it. Just review the method, and quickly check that the resulting list makes sense, and doesn't have anything consensus-critical in it. |
teor2345
requested review from
oxarbitrage
and removed request for
oxarbitrage and
a team
|
Merging this PR will upgrade to all the latest versions of our dependencies and transitive dependencies, resolving the security advisories with fixes in: It also changes the release process to upgrade all dependencies and transitive dependencies before each release. (But those upgrades will be a lot smaller.) |
|
Here's the latest list of updated crates: |
Output:
```
$ cargo update
Updating crates.io index
Updating addr2line v0.17.0 -> v0.19.0
Updating ahash v0.8.2 -> v0.8.3
Updating aho-corasick v0.7.18 -> v0.7.20
Updating anyhow v1.0.69 -> v1.0.70
Updating arrayref v0.3.6 -> v0.3.7
Updating async-stream v0.3.2 -> v0.3.4
Updating async-stream-impl v0.3.2 -> v0.3.4
Updating async-trait v0.1.52 -> v0.1.67
Updating axum v0.5.17 -> v0.6.12
Updating axum-core v0.2.9 -> v0.3.3
Updating backtrace v0.3.64 -> v0.3.67
Updating base64 v0.13.0 -> v0.13.1
Updating bit-set v0.5.2 -> v0.5.3
Removing block-buffer v0.7.3
Removing block-buffer v0.10.2
Adding block-buffer v0.10.4
Removing block-padding v0.1.5
Updating bls12_381 v0.7.0 -> v0.7.1
Updating bstr v0.2.17 -> v1.4.0
Updating byte-slice-cast v1.2.1 -> v1.2.2
Removing byte-tools v0.3.1
Updating bytemuck v1.8.0 -> v1.13.1
Updating cc v1.0.73 -> v1.0.79
Removing chunked_transfer v1.4.0
Updating cipher v0.4.3 -> v0.4.4
Updating clang-sys v1.3.1 -> v1.6.0
Updating clap v3.2.20 -> v3.2.23
Updating console v0.15.4 -> v0.15.5
Updating constant_time_eq v0.2.4 -> v0.2.5
Updating crossbeam-channel v0.5.4 -> v0.5.7
Updating crossbeam-deque v0.8.1 -> v0.8.3
Updating crossbeam-epoch v0.9.7 -> v0.9.14
Updating crossbeam-utils v0.8.7 -> v0.8.15
Adding cxx-build v1.0.93
Updating cxx-gen v0.7.74 -> v0.7.93
Updating darling v0.14.1 -> v0.14.4
Updating darling_core v0.14.1 -> v0.14.4
Updating darling_macro v0.14.1 -> v0.14.4
Removing digest v0.8.1
Removing digest v0.10.5
Adding digest v0.10.6
Updating dirs-sys v0.3.6 -> v0.3.7
Updating either v1.6.1 -> v1.8.1
Updating encoding_rs v0.8.30 -> v0.8.32
Updating enum-iterator v1.2.0 -> v1.4.0
Updating enum-iterator-derive v1.1.0 -> v1.2.0
Updating eyre v0.6.7 -> v0.6.8
Removing fake-simd v0.1.2
Updating fastrand v1.7.0 -> v1.9.0
Updating ff v0.12.0 -> v0.12.1
Updating fixedbitset v0.4.1 -> v0.4.2
Updating flate2 v1.0.22 -> v1.0.25
Updating form_urlencoded v1.0.1 -> v1.1.0
Removing generic-array v0.12.4
Removing generic-array v0.14.5
Adding generic-array v0.14.6
Updating gimli v0.26.1 -> v0.27.2
Updating glob v0.3.0 -> v0.3.1
Updating globset v0.4.8 -> v0.4.10
Updating h2 v0.3.11 -> v0.3.16
Updating hashbrown v0.12.1 -> v0.12.3
Updating hdrhistogram v7.5.0 -> v7.5.2
Updating heck v0.4.0 -> v0.4.1
Updating http v0.2.8 -> v0.2.9
Removing http-range-header v0.3.0
Updating hyper-rustls v0.23.0 -> v0.23.2
Updating iana-time-zone v0.1.46 -> v0.1.54
Adding iana-time-zone-haiku v0.1.1
Updating idna v0.2.3 -> v0.3.0
Updating io-lifetimes v1.0.4 -> v1.0.9
Updating ipnet v2.4.0 -> v2.7.1
Updating is-terminal v0.4.4 -> v0.4.5
Updating itoa v1.0.4 -> v1.0.6
Updating jobserver v0.1.24 -> v0.1.26
Updating js-sys v0.3.59 -> v0.3.61
Updating libc v0.2.139 -> v0.2.140
Updating libloading v0.7.3 -> v0.7.4
Updating libm v0.2.2 -> v0.2.6
Updating libz-sys v1.1.4 -> v1.1.8
Updating link-cplusplus v1.0.7 -> v1.0.8
Updating lock_api v0.4.6 -> v0.4.9
Removing maplit v1.0.2
Removing matches v0.1.9
Updating matchit v0.5.0 -> v0.7.0
Updating memoffset v0.6.5 -> v0.8.0
Updating mime v0.3.16 -> v0.3.17
Updating miniz_oxide v0.4.4 -> v0.6.2
Updating minreq v2.6.0 -> v2.7.0
Updating mio v0.8.4 -> v0.8.6
Updating net2 v0.2.37 -> v0.2.38
Updating nom v7.1.0 -> v7.1.3
Updating num-format v0.4.3 -> v0.4.4
Updating num-traits v0.2.14 -> v0.2.15
Updating object v0.27.1 -> v0.30.3
Removing opaque-debug v0.2.3
Updating openssl v0.10.38 -> v0.10.48
Adding openssl-macros v0.1.0
Updating openssl-sys v0.9.72 -> v0.9.83
Updating os_info v3.5.1 -> v3.7.0
Updating os_str_bytes v6.3.0 -> v6.5.0
Updating parity-scale-codec v3.1.2 -> v3.4.0
Updating parity-scale-codec-derive v3.1.2 -> v3.1.4
Updating parking_lot v0.12.0 -> v0.12.1
Removing parking_lot_core v0.8.5
Removing parking_lot_core v0.9.1
Adding parking_lot_core v0.8.6
Adding parking_lot_core v0.9.7
Updating pasta_curves v0.4.0 -> v0.4.1
Updating percent-encoding v2.1.0 -> v2.2.0
Updating pest v2.1.3 -> v2.5.6
Updating pest_derive v2.1.0 -> v2.5.6
Updating pest_generator v2.1.3 -> v2.5.6
Updating pest_meta v2.1.3 -> v2.5.6
Updating petgraph v0.6.0 -> v0.6.3
Updating pkg-config v0.3.24 -> v0.3.26
Updating plotters v0.3.1 -> v0.3.4
Updating plotters-backend v0.3.2 -> v0.3.4
Updating plotters-svg v0.3.1 -> v0.3.3
Updating portable-atomic v0.3.15 -> v0.3.19
Updating ppv-lite86 v0.2.16 -> v0.2.17
Updating prettyplease v0.1.9 -> v0.1.25
Updating proc-macro-crate v1.1.3 -> v1.3.1
Updating proc-macro2 v1.0.52 -> v1.0.53
Updating prost-build v0.11.1 -> v0.11.8
Updating prost-types v0.11.1 -> v0.11.8
Updating raw-cpuid v10.2.0 -> v10.7.0
Updating redox_syscall v0.2.11 -> v0.2.16
Updating redox_users v0.4.0 -> v0.4.3
Updating rgb v0.8.32 -> v0.8.36
Updating rustc-demangle v0.1.21 -> v0.1.22
Updating rustix v0.36.7 -> v0.36.11
Updating rustls v0.20.7 -> v0.20.8
Updating rustls-pemfile v1.0.0 -> v1.0.2
Updating rustversion v1.0.11 -> v1.0.12
Updating ryu v1.0.9 -> v1.0.13
Updating schannel v0.1.19 -> v0.1.21
Adding scratch v1.0.5
Updating security-framework v2.6.1 -> v2.8.2
Updating security-framework-sys v2.6.1 -> v2.8.0
Removing sha-1 v0.8.2
Adding sha2 v0.10.6
Updating signal-hook-registry v1.4.0 -> v1.4.1
Updating similar v2.1.0 -> v2.2.1
Updating slab v0.4.5 -> v0.4.8
Updating socket2 v0.4.7 -> v0.4.9
Removing syn v1.0.104
Removing syn v2.0.3
Adding syn v1.0.109
Adding syn v2.0.8
Updating sync_wrapper v0.1.1 -> v0.1.2
Updating termcolor v1.1.3 -> v1.2.0
Updating textwrap v0.15.0 -> v0.16.0
Updating thread_local v1.1.4 -> v1.1.7
Removing time v0.1.44
Removing time v0.3.17
Adding time v0.1.43
Adding time v0.3.20
Updating time-macros v0.2.6 -> v0.2.8
Updating tinyvec_macros v0.1.0 -> v0.1.1
Updating tokio-macros v1.7.0 -> v1.8.2
Updating tokio-native-tls v0.3.0 -> v0.3.1
Updating tokio-rustls v0.23.2 -> v0.23.4
Updating tokio-util v0.6.9 -> v0.6.10
Updating toml_edit v0.19.7 -> v0.19.8
Updating tonic v0.8.2 -> v0.8.3
Updating tonic-build v0.8.2 -> v0.8.4
Removing tower-http v0.3.4
Updating tower-layer v0.3.1 -> v0.3.2
Updating tower-service v0.3.1 -> v0.3.2
Updating try-lock v0.2.3 -> v0.2.4
Updating typenum v1.15.0 -> v1.16.0
Updating ucd-trie v0.1.3 -> v0.1.5
Updating unicode-bidi v0.3.7 -> v0.3.13
Updating unicode-ident v1.0.2 -> v1.0.8
Updating unicode-normalization v0.1.19 -> v0.1.22
Updating unicode-segmentation v1.9.0 -> v1.10.1
Updating unicode-width v0.1.9 -> v0.1.10
Updating unicode-xid v0.2.2 -> v0.2.4
Updating ureq v2.5.0 -> v2.6.2
Updating url v2.2.2 -> v2.3.1
Updating uuid v1.1.0 -> v1.3.0
Updating walkdir v2.3.2 -> v2.3.3
Updating wasi v0.10.0+wasi-snapshot-preview1 -> v0.10.2+wasi-snapshot-preview1
Updating wasm-bindgen v0.2.82 -> v0.2.84
Updating wasm-bindgen-backend v0.2.82 -> v0.2.84
Updating wasm-bindgen-futures v0.4.29 -> v0.4.34
Updating wasm-bindgen-macro v0.2.82 -> v0.2.84
Updating wasm-bindgen-macro-support v0.2.82 -> v0.2.84
Updating wasm-bindgen-shared v0.2.82 -> v0.2.84
Updating web-sys v0.3.56 -> v0.3.61
Updating webpki-roots v0.22.5 -> v0.22.6
Updating which v4.2.4 -> v4.4.0
Adding windows v0.46.0
Removing windows-sys v0.32.0
Removing windows-sys v0.36.1
Updating windows-targets v0.42.1 -> v0.42.2
Updating windows_aarch64_gnullvm v0.42.1 -> v0.42.2
Removing windows_aarch64_msvc v0.32.0
Removing windows_aarch64_msvc v0.36.1
Removing windows_aarch64_msvc v0.42.1
Adding windows_aarch64_msvc v0.42.2
Removing windows_i686_gnu v0.32.0
Removing windows_i686_gnu v0.36.1
Removing windows_i686_gnu v0.42.1
Adding windows_i686_gnu v0.42.2
Removing windows_i686_msvc v0.32.0
Removing windows_i686_msvc v0.36.1
Removing windows_i686_msvc v0.42.1
Adding windows_i686_msvc v0.42.2
Removing windows_x86_64_gnu v0.32.0
Removing windows_x86_64_gnu v0.36.1
Removing windows_x86_64_gnu v0.42.1
Adding windows_x86_64_gnu v0.42.2
Updating windows_x86_64_gnullvm v0.42.1 -> v0.42.2
Removing windows_x86_64_msvc v0.32.0
Removing windows_x86_64_msvc v0.36.1
Removing windows_x86_64_msvc v0.42.1
Adding windows_x86_64_msvc v0.42.2
Updating winnow v0.3.6 -> v0.4.0
Updating wyz v0.5.0 -> v0.5.1
Updating zeroize_derive v1.3.2 -> v1.3.3
```
teor2345
force-pushed
the
cargo-update-2023-02-24
branch
from
78f6326
to
5952dd4
Compare
|
Here are the possibly consensus-critical crate changes: Adds extra APIs, improves clearing sensitive data from memory: https://github.com/zkcrypto/bls12_381/blob/main/RELEASES.md#071 Lint changes only: https://github.com/cesarb/constant_time_eq/blob/master/CHANGES#L1 Lint changes only: https://github.com/RustCrypto/traits/blob/master/digest/CHANGELOG.md#0106-2022-11-17 Removing the old version reduces the risk of consensus splits within Zebra itself or with other nodes. Stops integer overflow in some cases: https://github.com/zkcrypto/ff/blob/main/CHANGELOG.md#0121---2022-10-28 All changes are behind a new feature flag we don't use: https://github.com/zcash/pasta_curves/blob/main/CHANGELOG.md#041---2022-10-13 Removing outdated libraries and hashes is good. Seems to be required by another dependency: https://github.com/RustCrypto/hashes/blob/master/sha2/CHANGELOG.md#0106-2022-09-16 Adds an extra API: https://github.com/RustCrypto/utils/blob/master/zeroize/derive/CHANGELOG.md#fixed |
36 tasks
oxarbitrage
approved these changes
Mar 24, 2023
|
In the merge queue:
https://github.com/ZcashFoundation/zebra/actions/runs/4514448606/jobs/7951570364#step:10:84 |
|
@Mergifyio refresh |
✅ Pull request refreshed |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
Zebra has about 150 transitive dependencies in
Cargo.lockthat aren't being updated for some reason. See my comment below for a list.It's possible we turned them off using a dependabot command or by closing a dependabot PR, and didn't turn them back on. (To turn them back on, we'd need to re-open that specific dependabot PR.) It's also possible dependabot isn't checking the lockfile for updates.
Credit to Alfredo for discovering this last week!
Closes #6391
Complex Code or Requirements
None of these dependencies have duplicate versions in the ECC consensus-critical dependencies. I checked by commenting out
zcash_primitivesindeny.toml.The
was[im]*andwindows*dependencies are for unsupported platforms. Some of the other dependencies are test-only, liketonic*.We should double-check that none of these changes are consensus-critical.
Solution
cargo updatecargo updateremoved about 11 dependencies, most of them were duplicatesRelated changes:
Review
This is a low priority change.
I don't know how to review all these dependency updates at the same time. But I think it's worse to not do them, and be using buggy or insecure versions.
I'd like two reviews to make sure I got this right.
Reviewer Checklist
Follow Up Work
cargo upgradewill updateCargo.tomlentries, maybe we want to do that afterzcashdhas updatedzcash_primitivesto 0.10.0.