-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependencies and use more specific versions for dependencies with known CVEs #2462
Conversation
fa1b7ff
to
149281c
Compare
Could we perhaps move these dependencies to the global How do we notice that we specify a version in |
@hrxi deps.rs is one effort I know though it doesn't actively notify you about versions lower than a CVE. But it's a badge in the README of this repo already.
https://github.com/rustsec/audit-check might be interesting |
149281c
to
a417850
Compare
Done. Only did it for
Yeah, as @Eligioo mentioned we already have deps.rs and then there is also |
78724ee
to
c792b13
Compare
Use a more specific version for the `rand_core` dependency than versions with known CVEs. This fixes #2454.
c792b13
to
b5d1cdb
Compare
Done. Just added a GH action that is going to be run periodically to check for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM otherwise.
4518a7b
to
76ffee6
Compare
Use a more specific version for the `futures-util` dependency than versions with known CVEs. This fixes #2457.
Use a more specific version for the `tracing` dependency than versions with known CVEs. This fixes #2453.
Use a more specific version for the `regex` dependency than versions with known CVEs.
Update the `itertools` dependency to the latest version (0.12.1) as for some reason this hasn't been flagged by GH dependabot.
Update the `hyper` dependency to the latest version (1.3.1) for the `metrics-server` subcrate.
Updated the `crossbeam-channel` dependency from version 0.5.7 to 0.5.12 (latest) since the former version was already yanked as pointed by `cargo audit`.
Switch to a maintained version of the `dotenv` dependency: `dotenvy` since the former is flagged by `cargo audit` as unmaintained.
Switch to a maintained version of the `ansi-term` dependency: `ansiterm` since the former was flagged by `cargo audit` as unmaintained.
Add Github workflow to check for security vulnerabilities using `cargo audit`. This workflow was set up to run every Wednesday at 2:00 UTC.
76ffee6
to
7164eab
Compare
What's in this pull request?
rand_core
dependency than versions with known CVEs.This fixes
rand_core
inkeys
should use a more specific version greater than known CVE #2454.futures-util
dependency than versions with known CVEs.This fixes
futures-util
inweb-client
should use a more specific version greater than known CVEs #2457.tracing
dependency than versions with known CVEs.This fixes
tracing
innetwork-libp2p
should use a more specific version greater than known CVE #2453.regex
dependency than versions with known CVEs.itertools
dependency to the latest version (0.12.1) as for some reason this hasn't been flagged by GH dependabot.hyper
dependency to the latest version (1.3.1) for themetrics-server
subcrate.crossbeam-channel
dependency from version 0.5.7 to 0.5.12 (latest) since the former version was already yanked as pointed bycargo audit
.dotenv
dependency:dotenvy
since the former is flagged bycargo audit
as unmaintained.ansi-term
dependency:ansiterm
since the former was flagged bycargo audit
as unmaintained.cargo audit
.This workflow was set up to run every Wednesday at 2:00 UTC.
Pull request checklist
clippy
andrustfmt
warnings.