Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update async-nats #66

Closed
helio-frota opened this issue May 22, 2024 · 9 comments · Fixed by #67
Closed

Update async-nats #66

helio-frota opened this issue May 22, 2024 · 9 comments · Fixed by #67

Comments

@helio-frota
Copy link
Collaborator

helio-frota commented May 22, 2024
edited
Loading

trustification dependabot vulnerability alerts
https://gist.github.com/helio-frota/da4c1c984d12cc458f5c58e8b9201fc6
@helio-frota helio-frota mentioned this issue May 22, 2024
Merged
@helio-frota
Copy link
Collaborator Author

@dejanb we still can see the warning I think that is because of cyclic dependency with trustification:

Crate:     ed25519-dalek
Version:   1.0.1
Title:     Double Public Key Signing Function Oracle Attack on `ed25519-dalek`
Date:      2022-06-11
ID:        RUSTSEC-2022-0093
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0093
Solution:  Upgrade to >=2
Dependency tree:
ed25519-dalek 1.0.1
└── nkeys 0.2.0
    └── async-nats 0.29.0
        └── guac 0.1.0

├── exporter v0.1.0 (https://github.com/trustification/trustification.git?tag=v0.1.0-nightly.9382a428#9382a428)
│   ├── anyhow v1.0.86
│   ├── clap v4.5.4 (*)
│   ├── futures v0.3.30 (*)
│   ├── guac v0.1.0 (https://github.com/trustification/guac-rs.git?rev=5b8cad8342d42072a72ef4a149348d0d86a84176#5b8cad83)
│   │   ├── anyhow v1.0.86
│   │   ├── async-nats v0.29.0  <----------------------------------------------------
│   │   │   ├── async-nats-tokio-rustls-deps v0.24.0-ALPHA.1

either way we need to fix here first 👍

@helio-frota helio-frota mentioned this issue May 31, 2024
Open
@dejanb
Copy link
Collaborator

dejanb commented May 31, 2024

Yeah, that makes sense. We need to update traustification as well. Maybe it's time to cut the first "release"?

@helio-frota
Copy link
Collaborator Author

as an upstream-dependency-for-trustification I would say yes 👍

@helio-frota
Copy link
Collaborator Author

helio-frota commented May 31, 2024
edited
Loading

Unless you want some other chore tasks before like:

  • update the rust version -- same as trustify ( or 1.77.2 same as trustification )
  • update other dependencies

2024-05-31_08-27

@helio-frota
Copy link
Collaborator Author

we have breaking changes when updating reqwest ^

helio-frota added a commit to helio-frota/guac-rs that referenced this issue May 31, 2024
@helio-frota
chore: rust version update
f5ef622 
* Details trustification#66 (comment)
* Also simplifies ci a bit removing unused configs
@helio-frota helio-frota mentioned this issue May 31, 2024
Merged
@dejanb
Copy link
Collaborator

dejanb commented May 31, 2024

I would update everything we can. Can you figure out how big is the breaking change for reqwest? Is there newer 0.11.x?

@helio-frota
Copy link
Collaborator Author

good approach +1

I'll take a closer look I remember a good amount of compilation errors etc.

@helio-frota
Copy link
Collaborator Author

helio-frota commented May 31, 2024
edited
Loading

@dejanb I suspect that is messing with the other dependency

2024-05-31_10-44

https://crates.io/crates/graphql_client/0.14.0/dependencies

maybe better to wait for new graphql_client version , makes sense ?

2024-05-31_10-46

@helio-frota
Copy link
Collaborator Author

this is the last outdated all the others got updated by the PR

dejanb pushed a commit that referenced this issue May 31, 2024
@helio-frota @dejanb
chore: rust version update
5ecaf5d 
* Details #66 (comment)
* Also simplifies ci a bit removing unused configs
@helio-frota helio-frota mentioned this issue May 31, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: update async-nats helio-frota/guac-rs
2 participants
@dejanb @helio-frota