Merge pull request #3749 from autonomys/dep_upgrade

update yamux 0.13.8 → 0.13.9 and stop downgrading to 0.12

Author: vedhavyas

Cargo.lock

@@ -43,7 +43,7 @@ bitvec = "1.0.1"
 blake2 = { version = "0.10.6", default-features = false }
 blake3 = { version = "1.8.2", default-features = false }
 blst = "0.3.13"
-bytes = { version = "1.7.2", default-features = false }
+bytes = { version = "1.11.1", default-features = false }
 bytesize = "1.3.0"
 cc = "1.1.23"
 chacha20 = { version = "0.9.1", default-features = false }

Cargo.toml

@@ -77,13 +77,6 @@ const TEMPORARY_BANS_DEFAULT_MAX_INTERVAL: Duration = Duration::from_secs(30 * 6
 /// wasting resources and producing a ton of log records.
 const DIALING_INTERVAL_IN_SECS: Duration = Duration::from_secs(1);
 
-/// Specific YAMUX settings for Subspace applications: additional buffer space for pieces and
-/// substream's limit.
-///
-/// Defines a replication factor for Kademlia on get_record operation.
-/// "Good citizen" supports the network health.
-const YAMUX_MAX_STREAMS: usize = 256;
-
 /// Max confidence for autonat protocol. Could affect Kademlia mode change.
 pub(crate) const AUTONAT_MAX_CONFIDENCE: usize = 3;
 /// We set a very long pause before autonat initialization (Duration::Max panics).
@@ -279,8 +272,9 @@ impl Config {
             .set_record_ttl(None)
             .set_replication_interval(None);
 
-        let mut yamux_config = YamuxConfig::default();
-        yamux_config.set_max_num_streams(YAMUX_MAX_STREAMS);
+        // NOTE: Do not call deprecated setters like `set_max_num_streams()` on this config.
+        // They silently downgrade from yamux 0.13 to 0.12, which has a remote DoS vulnerability.
+        let yamux_config = YamuxConfig::default();
 
         let gossipsub = ENABLE_GOSSIP_PROTOCOL.then(|| {
             GossipsubConfigBuilder::default()