bump deps #2184
bump deps #2184
Conversation
Crate: openssl Version: 0.10.68 Title: ssl::select_next_proto use after free Date: 2025-02-02 ID: RUSTSEC-2025-0004 URL: https://rustsec.org/advisories/RUSTSEC-2025-0004 Solution: Upgrade to >=0.10.70 Crate: openssl Version: 0.10.68 Title: Use-After-Free in `Md::fetch` and `Cipher::fetch` Date: 2025-04-04 ID: RUSTSEC-2025-0022 URL: https://rustsec.org/advisories/RUSTSEC-2025-0022 Solution: Upgrade to >=0.10.72 Crate: tokio Version: 1.39.2 Warning: unsound Title: Broadcast channel calls clone in parallel, but does not require `Sync` Date: 2025-04-07 ID: RUSTSEC-2025-0023 URL: https://rustsec.org/advisories/RUSTSEC-2025-0023
reduce deps and fixes Crate: proc-macro-error Version: 1.0.4 Warning: unmaintained Title: proc-macro-error is unmaintained Date: 2024-09-01 ID: RUSTSEC-2024-0370 URL: https://rustsec.org/advisories/RUSTSEC-2024-0370
|
benchlib pulls clap which affects lock files for runtime benches. |
|
The updated lockfiles need to be committed.
Yeah, that would be nice! Please open a separate PR for that, if you want. |
Kobzol
left a comment
Kobzol
left a comment
There was a problem hiding this comment.
Nice to get rid of ring! I don't think we have to get so draconian about pinning dependency versions though.
Cargo.toml
Outdated
| chrono = "0.4" | ||
| clap = "4.1" | ||
| # this is latest version with small number of deps | ||
| clap = "=4.1.14" |
There was a problem hiding this comment.
I don't think that reducing the number of deps is so critical here that we would need to pin specific versions, that should be left to really rare circimstances. Just leave it at "4".
There was a problem hiding this comment.
One of sources of dep number increase here #2034 (comment) was clap, so i tried to prevent it. Ok.
2 participants
This resolves few cargo audit issues and drops few deps around.
Btw, should i replace sha1 with sha256 check instead? github suggest to do it https://docs.github.com/en/webhooks/webhook-events-and-payloads#delivery-headers