Bridge: remove rustix via clap bump #1109
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Refs: <https://github.com/svix/svix-webhooks/security/dependabot/74> Formerly we had a runtime dep on a vulnerable version of `rustix`. This was transitive, and introduced via `clap`. Bumping clap removed this dependency from our tree. There is still one vulnerable version introduced via `opentelemetry-otlp`, but since it's a build-dep it's less of a concern (see the advisory for the rationale). ``` $ cargo tree -p [email protected] -i rustix v0.38.8 └── tempfile v3.7.1 └── prost-build v0.11.9 └── tonic-build v0.8.4 [build-dependencies] └── opentelemetry-proto v0.1.0 └── opentelemetry-otlp v0.11.0 └── svix-bridge v1.13.0 (/home/onelson/Projects/svix-webhooks/bridge/svix-bridge) ``` If we can update the various otel-related deps, we might be able to bump `rustix` or remove it entirely, but that's a bigger lift.
svix-gabriel
approved these changes
Oct 19, 2023
svix-onelson
added a commit
that referenced
this pull request
Oct 19, 2023
Same boat for `svix-server` as with `svix-bridge` in #1109 Bumping clap removes the sole runtime dependency on `rustix`, but it still exists in the dep tree impacting only compile-time code paths. ``` $ cargo tree -p [email protected] rustix v0.38.4 └── tempfile v3.7.0 ├── figment v0.10.10 │ └── svix-server v1.13.0 (/home/onelson/Projects/svix-webhooks/server/svix-server) ├── prost-build v0.9.0 │ └── tonic-build v0.6.2 │ [build-dependencies] │ └── opentelemetry-otlp v0.10.0 │ └── svix-server v1.13.0 (/home/onelson/Projects/svix-webhooks/server/svix-server) └── sqlx-macros-core v0.7.1 └── sqlx-macros v0.7.1 (proc-macro) └── sqlx v0.7.1 ├── sea-orm v0.12.2 │ └── svix-server v1.13.0 (/home/onelson/Projects/svix-webhooks/server/svix-server) ├── sea-query-binder v0.5.0 │ └── sea-orm v0.12.2 (*) └── svix-server v1.13.0 (/home/onelson/Projects/svix-webhooks/server/svix-server) ``` Updating sea-orm, and otel-related deps will help get the affected `rustix` version out of our tree entirely, but it's a larger lift. Refs: https://github.com/svix/svix-webhooks/security/dependabot/74
svix-onelson
added a commit
that referenced
this pull request
Oct 19, 2023
Same boat for `svix-server` as with `svix-bridge` in #1109 Bumping clap removes the sole runtime dependency on `rustix`, but it still exists in the dep tree impacting only compile-time code paths. ``` $ cargo tree -p [email protected] -i rustix v0.38.4 └── tempfile v3.7.0 ├── figment v0.10.10 │ └── svix-server v1.13.0 (/home/onelson/Projects/svix-webhooks/server/svix-server) ├── prost-build v0.9.0 │ └── tonic-build v0.6.2 │ [build-dependencies] │ └── opentelemetry-otlp v0.10.0 │ └── svix-server v1.13.0 (/home/onelson/Projects/svix-webhooks/server/svix-server) └── sqlx-macros-core v0.7.1 └── sqlx-macros v0.7.1 (proc-macro) └── sqlx v0.7.1 ├── sea-orm v0.12.2 │ └── svix-server v1.13.0 (/home/onelson/Projects/svix-webhooks/server/svix-server) ├── sea-query-binder v0.5.0 │ └── sea-orm v0.12.2 (*) └── svix-server v1.13.0 (/home/onelson/Projects/svix-webhooks/server/svix-server) ``` Updating sea-orm, and otel-related deps will help get the affected `rustix` version out of our tree entirely, but it's a larger lift. Refs: https://github.com/svix/svix-webhooks/security/dependabot/74
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Refs: https://github.com/svix/svix-webhooks/security/dependabot/75
Formerly we had a runtime dep on a vulnerable version of
rustix. This was transitive, and introduced viaclap. Bumping clap removed this dependency from our tree.There is still one vulnerable version introduced via
opentelemetry-otlp, but since it's a build-dep it's less of a concern (see the advisory for the rationale).If we can update the various otel-related deps, we might be able to bump
rustixor remove it entirely, but that's a bigger lift.