Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make changes to address new RUSTSEC details #6417

Merged
merged 3 commits into from
Dec 9, 2024
Merged

Make changes to address new RUSTSEC details #6417

merged 3 commits into from
Dec 9, 2024

Conversation

garypen
Copy link
Contributor

@garypen garypen commented Dec 9, 2024

RUSTSEC-2024-0421 identifies issues in the idna crate at versions < 1.0.3.

We are not affected by the vulnerability, since the router is only using the crate to resolve subgraph addresses from a trusted source. We'll ignore the advisory.

When we can update the hickory crate to a version using idna >=1.0.3, we'll remove the deny override.

Additionally:
Update the url crate to 2.5.4 anyway, so it's using idna 1.0.3
Allow crates using UNICODE-3.0 license

@garypen
Make changes to address new RUSTSEC details
7d93ccc 
RUSTSEC-2024-0421 identifies issues in the idna crate at versions <
1.0.3.

We are not affected by the vulnerability, since the router is only
using the crate to resolve subgraph addresses from a trusted source.
We'll ignore the advisory.

When we can update the hickory crate to a version using idna >=1.0.3,
we'll remove the deny override.

Additionally:
    Update the url crate to 2.5.4 anyway, so it's using idna 1.0.3
@garypen garypen self-assigned this Dec 9, 2024
@garypen garypen requested review from a team as code owners December 9, 2024 14:55
@svc-apollo-docs
Copy link
Collaborator

svc-apollo-docs commented Dec 9, 2024
edited
Loading

✅ Docs Preview Ready

No new or changed pages found.

@garypen garypen requested a review from bnjjj December 9, 2024 14:56
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 9, 2024

@garypen, please consider creating a changeset entry in /.changesets/. These instructions describe the process and tooling.

@garypen garypen requested a review from SimonSapin December 9, 2024 14:56
@router-perf
Copy link

router-perf bot commented Dec 9, 2024

CI performance tests

  • connectors-const - Connectors stress test that runs with a constant number of users
  • const - Basic stress test that runs with a constant number of users
  • demand-control-instrumented - A copy of the step test, but with demand control monitoring and metrics enabled
  • demand-control-uninstrumented - A copy of the step test, but with demand control monitoring enabled
  • enhanced-signature - Enhanced signature enabled
  • events - Stress test for events with a lot of users and deduplication ENABLED
  • events_big_cap_high_rate - Stress test for events with a lot of users, deduplication enabled and high rate event with a big queue capacity
  • events_big_cap_high_rate_callback - Stress test for events with a lot of users, deduplication enabled and high rate event with a big queue capacity using callback mode
  • events_callback - Stress test for events with a lot of users and deduplication ENABLED in callback mode
  • events_without_dedup - Stress test for events with a lot of users and deduplication DISABLED
  • events_without_dedup_callback - Stress test for events with a lot of users and deduplication DISABLED using callback mode
  • extended-reference-mode - Extended reference mode enabled
  • large-request - Stress test with a 1 MB request payload
  • no-tracing - Basic stress test, no tracing
  • reload - Reload test over a long period of time at a constant rate of users
  • step-jemalloc-tuning - Clone of the basic stress test for jemalloc tuning
  • step-local-metrics - Field stats that are generated from the router rather than FTV1
  • step-with-prometheus - A copy of the step test with the Prometheus metrics exporter enabled
  • step - Basic stress test that steps up the number of users over time
  • xlarge-request - Stress test with 10 MB request payload
  • xxlarge-request - Stress test with 100 MB request payload

@garypen garypen enabled auto-merge December 9, 2024 15:01
@garypen
Merge branch 'dev' into garypen/prevent-deny-complaints
663082c
@garypen
Try to fix the Cargo.lock file
7955b24 
I may have updated too much in the lock file, so try to recover it.
@garypen garypen merged commit e928145 into dev Dec 9, 2024
13 checks passed
@garypen garypen deleted the garypen/prevent-deny-complaints branch December 9, 2024 16:09
@garypen garypen mentioned this pull request Dec 10, 2024
Merged
@bnjjj bnjjj mentioned this pull request Dec 10, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lrlna lrlna lrlna approved these changes

@bnjjj bnjjj bnjjj approved these changes

@SimonSapin SimonSapin Awaiting requested review from SimonSapin

Assignees

@garypen garypen

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@garypen @svc-apollo-docs @bnjjj @lrlna