Draft: Update vulnerable dependencies
cargo audit
reports 4 vulnerabilities,
- RUSTSEC-2021-0115: #[zeroize(drop)] doesn't implement Drop for enums
- update
zeroize_derive
from 1.0.1 to 1.2.0 - This is windows only, so the update should not be an issue.
- update
- RUSTSEC-2021-0093: Data race in crossbeam-deque
- Update
crossbeam-deque
from 0.8.0 to 0.8.1. - Debian has 0.7.2, but also
sq
does not depend oncrossbeam-deque
, so I hope this is ok.
- Update
- RUSTSEC-2021-0079: "Integer overflow in
hyper
's parsing of theTransfer-Encoding
header leads to data loss"- Only relevant for the
net
crate. - Update
hyper
from 0.13.10 to 0.14.0 - Update
hyper-tls
from 0.4 to 0.5 - The updated
hyper
andhyper-tls
requiretokio
1.0, andsequoia-net
has a dev-dependency ontokio
, so update that, too.
- Only relevant for the
- RUSTSEC-2021-0078: "Lenient
hyper
header parsing ofContent-Length
could allow request smuggling"- See 3.
Updating sequoia-net
's tokio
to 1.0 means that the sequoia
workspace now depends on both tokio 0.2
and its dependencies, and tokio 1.0
and its dependencies. The aggregate number of dependencies rises from 265 to 274, and build times increase, too. We should update the other uses of tokio
to 1.0, too.
This also adds a cargo audit
CI-job, so we can notice earlier. cargo-audit
should be added to the docker image, but please discuss first if we want that job :)
Edited by Nora Widdecke