You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If a project using Dependabot has (only) an indirect dependency on a vulnerable Rust crate, the security alert does not distinguish that case and will recommend a fix that would only be applicable for a direct dependency.
Example vulnerability: mio recently had a (Windows-specific) security vulnerability, tokio-rs/mio#1760. mio is an optional dependency of tokio, which is widely depended on, but most projects that depend on tokio do not depend directly (if at all) on mio.
Example downstream project: Dependabot is configured (dependabot.yml) for zcash/librustzcash, which is a workspace containing several library crates with a shared Cargo.lock. Some of its component crates have an indirect dependency or dev-dependency on tokio, but none of them have a direct dependency on mio:
At the time of the alert, tokio depended (optionally) on mio 0.8.9. In this case, because mio 0.8.9 → 0.8.11 is a non-breaking update according to Semver:
A cargo update (or more narrowly, cargo update -p mio) would be sufficient to update Cargo.lock in librustzcash.
If tokio were to release a version that updated its dependency on mio (see Windows Named pipes invalid memory access tokio-rs/tokio#6369 (comment)), the librustzcash project might prefer to update its dependency on tokio (more precisely, the dependency chain tonic → axum → hyper → h2 → tokio) to that version — even though it isn't strictly required because librustzcash only contains library crates and the fix to mio is a non-breaking update. But such a version doesn't necessarily exist (at time-of-writing, it didn't in this example) when the security alert occurs and/or when a PR to fix it is created.
Adding a new dependency on mio would be incorrect and useless.
If, on the other hand, the fixed version of the vulnerable crate were a breaking update according to Semver, then adding a dependency on the new version would not fix the potential vulnerability, because the crate dependency would be duplicated. And so for indirect dependencies, the advised action is either useless (if it is not also a direct dependency) or insufficient.
The main advised action should be to run cargo update -p mio, and then check using cargo tree --all-features --target=all -i mio that the project now only pins non-vulnerable versions. (In this case the mio dependency isn't duplicated, but if it were then you would need to run cargo tree ... for each version.)
The PR created by the big green "Create Dependabot security update" button is correct and indeed does the equivalent of cargo update -p mio: zcash/librustzcash#1225. So it's just the security alert text that could be misleading.
Note that there are many cases here. The project using dependabot:
Is there an existing issue for this?
Feature description
If a project using Dependabot has (only) an indirect dependency on a vulnerable Rust crate, the security alert does not distinguish that case and will recommend a fix that would only be applicable for a direct dependency.
Example vulnerability: mio recently had a (Windows-specific) security vulnerability, tokio-rs/mio#1760. mio is an optional dependency of tokio, which is widely depended on, but most projects that depend on tokio do not depend directly (if at all) on mio.
Example downstream project: Dependabot is configured (dependabot.yml) for zcash/librustzcash, which is a workspace containing several library crates with a shared Cargo.lock. Some of its component crates have an indirect dependency or dev-dependency on tokio, but none of them have a direct dependency on mio:
librustzcash got a security alert at https://github.com/zcash/librustzcash/security/dependabot/8 that looked like this:
At the time of the alert, tokio depended (optionally) on mio 0.8.9. In this case, because mio 0.8.9 → 0.8.11 is a non-breaking update according to Semver:
cargo update
(or more narrowly,cargo update -p mio
) would be sufficient to updateCargo.lock
in librustzcash.If, on the other hand, the fixed version of the vulnerable crate were a breaking update according to Semver, then adding a dependency on the new version would not fix the potential vulnerability, because the crate dependency would be duplicated. And so for indirect dependencies, the advised action is either useless (if it is not also a direct dependency) or insufficient.
The main advised action should be to run
cargo update -p mio
, and then check usingcargo tree --all-features --target=all -i mio
that the project now only pins non-vulnerable versions. (In this case themio
dependency isn't duplicated, but if it were then you would need to runcargo tree ...
for each version.)The PR created by the big green "Create Dependabot security update" button is correct and indeed does the equivalent of
cargo update -p mio
: zcash/librustzcash#1225. So it's just the security alert text that could be misleading.Note that there are many cases here. The project using dependabot:
Cargo.lock
;Cargo.lock
for libraries has changed);Cargo.toml
s and any of the above applying to each component crate;The text was updated successfully, but these errors were encountered: