Skip to content

RUSTSEC-2025-0134: rustls-pemfile no longer maintained #179

@RoloEdits

Description

@RoloEdits

cargo deny shows:

advisory detected
    │
    ├ ID: RUSTSEC-2025-0134
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2025-0134
    ├ The rustls-pemfile crate is no longer maintained. The repository has been archived since August
      2025, and users are encouraged to depend directly on the underlying PEM parsing code included
      in rustls-pki-types since 1.9.0. The latest version of rustls-pemfile is in fact a thin wrapper
      around the same code used in rustls-pki-types, so migrating should be straightforward.
      
      The new API is represented by the [`PemObject`][PemObject] trait, which provides methods for
      reading a single or multiple PEM objects from a file or byte slice.
      
      [PemObject]: https://docs.rs/rustls-pki-types/latest/rustls_pki_types/pem/trait.PemObject.html
    ├ Announcement: https://github.com/rustls/pemfile/issues/61
    ├ Solution: No safe upgrade is available!
    ├ rustls-pemfile v2.2.0
      └── amqprs v2.1.3

This is found here:

# SSL/TLS dependencies
tokio-rustls = { version = "0.26", optional = true, default-features = false }
rustls-pemfile = { version = "2.1.2", optional = true }
rustls-webpki = { version = "0.103", optional = true, default-features = false }
webpki-roots = { version = "0.26", optional = true }
rustls-pki-types = { version = "1.7.0", optional = true }

amqprs already depends on the recommended rustls-pki-types, but is using an older version than the one suggested: 1.7.0 -> 1.9.0 is needed.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions