-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update built dependency to 0.7.1 #452
Conversation
Requires some small changes to the code, as the Option struct has been removed in favor of feature flags.
…environment, because this breaks in our Tilt workflow.
…RUSTSEC-2024-0013
Cargo.toml
Outdated
@@ -27,5 +27,8 @@ strum = { version = "0.25", features = ["derive"] } | |||
tokio = { version = "1.29", features = ["full"] } | |||
tracing = "0.1" | |||
|
|||
[patch.crates-io] | |||
built = { git = "https://github.com/stackabletech/built.git", branch = "fix/dont-write-env" } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to submit a PR for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have opened lukaslueg/built#62 to see if they'd be willing to consider one, but I would say in principle we would like to do that, yes.
Integration test still running, but looks okay so far I think .. https://ci.stackable.tech/view/02%20Operator%20Tests%20(custom)/job/hbase-operator-it-custom/139/ |
Test was successful |
… the entire crates.io patch section.
I'm not sure I like this. I want us to think twice before moving to a fork of something. |
In fact: I think I'm in favor of reverting this. |
I am sure that I don't like it, but @nightkr and I discussed this and it seemed the "least bad" option that allows us to get rid of the RUSTSEC in our stack right now. We can investigate moving of built onto another crate or wait if there is an appetite for our fix upstream. Both of which will take time which this workaround could buy us. I am also happy to revert and wait for feedback on our issue upstream. |
This reverts commit f6c1fbf.
I would favor reverting just so everything is consistent but we can also keep it in and wait for upstream. In other words: We can get rid of the RUSTSEC by just saying it's not valid here. |
That is exactly what the changed code in our fork does. The issue is, that upstream removed the ability to disable that code. |
Actually, we only use built as a build dependency, so the code is not even present in our shipped artifacts, so in VEX terms we can even say "vulnerable code not present". |
Perhaps it is a non-issue in this case, but in general, even a build-time vulnerability can impact built artifacts. Just wanted to point it out so we don't get too comfortable ignoring build-time vulns. |
Very true, and hopefully at some point it'll go away when we can upgrade again. |
Description
Requires some small changes to the code, as the Option struct has been removed in favor of feature flags.
fixes #451
Definition of Done Checklist
Author
Reviewer
Acceptance