Merge branch 'master' into add-audit-ci

near · Nov 20, 2023 · c5a7aab · c5a7aab
2 parents a84fa5d + 7934b34
commit c5a7aab
Show file tree

Hide file tree

Showing 42 changed files with 883 additions and 790 deletions.
diff --git a/.cargo/audit.toml b/.cargo/audit.toml
@@ -0,0 +1,30 @@
+[advisories]
+ignore = [
+    # DO NOT ADD ANYTHING TO THIS LIST WITHOUT CAREFUL CONSIDERATION!
+
+    # dotenv being unmaintained is ignored because it is an indirect dependency of cloud-storage, which would be hard to replace.
+    # In addition, it is most likely not ever going to be on a security-critical path, considering it only parses trusted .env files.
+    # However, we should probably replace cloud-storage with tame-gcs as soon as possible to remove this ignore.
+    "RUSTSEC-2021-0141",
+
+    # mach is unmaintained, but seems to be required by wasmtime at its latest version, which we currently cannot do without.
+    # We should replace it with mach2 in our personal code, but will need to keep it there until wasmtime switches to it.
+    # Anyway, it cannot be a security liability in production, considering it is bindings to the OS X kernel.
+    "RUSTSEC-2020-0168",
+
+    # memmap is unmaintained, but is used by wasmer0, which we need to keep alive for replayability reasons.
+    # We should remove wasmer0 and this ignore as soon as we get limited replayability.
+    "RUSTSEC-2020-0077",
+
+    # parity-wasm is deprecated, but is used by our runtimes before near-vm, which we need to keep alive for replayability reasons.
+    # We should remove them all, as well as this ignore, as soon as we get limited replayability.
+    "RUSTSEC-2022-0061",
+
+    # borsh is vulnerable, but is used by wasmer0, which we need to keep alive for replayability reasons.
+    # We should remove it, as well as this ignore, as soon as we get limited replayability.
+    "RUSTSEC-2023-0033",
+
+    # older versions of parking-lot are vulnerable, but used by wasmer0, which we need to keep alive for replayability reasons.
+    # We should remove it, as well as this ignore, as soon as we get limited replayability.
+    "RUSTSEC-2020-0070",
+]
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -226,3 +226,12 @@ jobs:
         with:
           crate: cargo-audit
       - run: cargo audit -D warnings
+
+  lychee_checks:
+    name: "Lychee Lints"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: lycheeverse/lychee-action@2ac9f030ccdea0033e2510a23a67da2a2da98492
+        with:
+          fail: true
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -158,6 +158,6 @@ On [betanet](https://docs.near.org/docs/concepts/networks#betanet) we run
 nightly build from master with all the nightly protocol features enabled. Every
 five weeks, we stabilize some protocol features and make a release candidate for
 testnet.  The process for feature stabilization can be found in [this
-document](docs/protocol_upgrade.md).  After the release candidate has been
+document](docs/practices/protocol_upgrade.md).  After the release candidate has been
 running on testnet for four weeks and no issues are observed, we stabilize and
 publish the release for mainnet.