From 0890ddb0d7f9c5a69eae6a5bc545b80f75c1de83 Mon Sep 17 00:00:00 2001 From: Emil Ernerfeldt Date: Thu, 15 Feb 2024 11:53:16 +0100 Subject: [PATCH] Update `tungstenite` to remove RUSTSEC warning (#5200) ### What * Closes https://github.com/rerun-io/rerun/issues/5198 ### Checklist * [x] I have read and agree to [Contributor Guide](https://github.com/rerun-io/rerun/blob/main/CONTRIBUTING.md) and the [Code of Conduct](https://github.com/rerun-io/rerun/blob/main/CODE_OF_CONDUCT.md) * [x] I've included a screenshot or gif (if applicable) * [x] I have tested the web demo (if applicable): * Using newly built examples: [app.rerun.io](https://app.rerun.io/pr/5200/index.html) * Using examples from latest `main` build: [app.rerun.io](https://app.rerun.io/pr/5200/index.html?manifest_url=https://app.rerun.io/version/main/examples_manifest.json) * Using full set of examples from `nightly` build: [app.rerun.io](https://app.rerun.io/pr/5200/index.html?manifest_url=https://app.rerun.io/version/nightly/examples_manifest.json) * [x] The PR title and labels are set such as to maximize their usefulness for the next release's CHANGELOG * [x] If applicable, add a new check to the [release checklist](https://github.com/rerun-io/rerun/blob/main/tests/python/release_checklist)! * [x] Test - [PR Build Summary](https://build.rerun.io/pr/5200) - [Docs preview](https://rerun.io/preview/029e67941c7494d4c4c1cfbd98c6bf8401e5892b/docs) - [Examples preview](https://rerun.io/preview/029e67941c7494d4c4c1cfbd98c6bf8401e5892b/examples) - [Recent benchmark results](https://build.rerun.io/graphs/crates.html) - [Wasm size tracking](https://build.rerun.io/graphs/sizes.html) --- Cargo.lock | 101 ++++++++++++++++++---------------- Cargo.toml | 4 +- crates/re_ws_comms/Cargo.toml | 4 +- deny.toml | 6 +- 4 files changed, 60 insertions(+), 55 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index dc72c4beb1ac..8c0e1de88bec 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -641,6 +641,12 @@ version = "0.13.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8" +[[package]] +name = "base64" +version = "0.21.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9d297deb1925b89f2ccc13d7635fa0714f12c87adce1c75356b39ca9b7178567" + [[package]] name = "bincode" version = "1.3.3" @@ -1463,6 +1469,12 @@ dependencies = [ "syn 2.0.48", ] +[[package]] +name = "data-encoding" +version = "2.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7e962a19be5cfc3f3bf6dd8f61eb50107f356ad6270fbb3ed41476571db78be5" + [[package]] name = "derivative" version = "2.2.0" @@ -5371,17 +5383,16 @@ dependencies = [ [[package]] name = "ring" -version = "0.16.20" +version = "0.17.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc" +checksum = "9babe80d5c16becf6594aa32ad2be8fe08498e7ae60b77de8df700e67f191d7e" dependencies = [ "cc", + "getrandom", "libc", - "once_cell", "spin", "untrusted", - "web-sys", - "winapi", + "windows-sys 0.48.0", ] [[package]] @@ -5678,14 +5689,24 @@ dependencies = [ [[package]] name = "rustls" -version = "0.20.8" +version = "0.21.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fff78fc74d175294f4e83b28343315ffcfb114b156f0185e9741cb5570f50e2f" +checksum = "f9d5a6813c0759e4609cd494e8e725babae6a2ca7b62a5536a13daaec6fcb7ba" dependencies = [ "log", "ring", + "rustls-webpki", "sct", - "webpki", +] + +[[package]] +name = "rustls-webpki" +version = "0.101.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765" +dependencies = [ + "ring", + "untrusted", ] [[package]] @@ -5729,9 +5750,9 @@ checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd" [[package]] name = "sct" -version = "0.7.0" +version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4" +checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414" dependencies = [ "ring", "untrusted", @@ -5821,17 +5842,6 @@ dependencies = [ "serde", ] -[[package]] -name = "sha-1" -version = "0.10.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f5058ada175748e33390e40e872bd0fe59a19f265d0158daa551c5a88a76009c" -dependencies = [ - "cfg-if", - "cpufeatures", - "digest", -] - [[package]] name = "sha1" version = "0.10.5" @@ -6009,9 +6019,9 @@ dependencies = [ [[package]] name = "spin" -version = "0.5.2" +version = "0.9.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" +checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67" [[package]] name = "spirv" @@ -6313,9 +6323,9 @@ dependencies = [ [[package]] name = "tokio-tungstenite" -version = "0.17.2" +version = "0.20.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f714dd15bead90401d77e04243611caec13726c2408afd5b31901dfcdcb3b181" +checksum = "212d5dcb2a1ce06d81107c3d0ffa3121fe974b73f068c8282cb1c32328113b6c" dependencies = [ "futures-util", "log", @@ -6425,24 +6435,23 @@ checksum = "44dcf002ae3b32cd25400d6df128c5babec3927cd1eb7ce813cfff20eb6c3746" [[package]] name = "tungstenite" -version = "0.17.3" +version = "0.20.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e27992fd6a8c29ee7eef28fc78349aa244134e10ad447ce3b9f0ac0ed0fa4ce0" +checksum = "9e3dac10fd62eaf6617d3a904ae222845979aec67c615d1c842b4002c7666fb9" dependencies = [ - "base64 0.13.1", "byteorder", "bytes", + "data-encoding", "http", "httparse", "log", "rand", "rustls", - "sha-1", + "sha1", "thiserror", "url", "utf-8", - "webpki", - "webpki-roots", + "webpki-roots 0.24.0", ] [[package]] @@ -6536,24 +6545,24 @@ checksum = "c7de7d73e1754487cb58364ee906a499937a0dfabd86bcb980fa99ec8c8fa2ce" [[package]] name = "untrusted" -version = "0.7.1" +version = "0.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" +checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" [[package]] name = "ureq" -version = "2.6.2" +version = "2.9.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "338b31dd1314f68f3aabf3ed57ab922df95ffcd902476ca7ba3c4ce7b908c46d" +checksum = "f8cdd25c339e200129fe4de81451814e5228c9b771d57378817d6117cc2b3f97" dependencies = [ - "base64 0.13.1", + "base64 0.21.7", "flate2", "log", "once_cell", "rustls", + "rustls-webpki", "url", - "webpki", - "webpki-roots", + "webpki-roots 0.25.4", ] [[package]] @@ -6986,23 +6995,19 @@ dependencies = [ ] [[package]] -name = "webpki" -version = "0.22.1" +name = "webpki-roots" +version = "0.24.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f0e74f82d49d545ad128049b7e88f6576df2da6b02e9ce565c6f533be576957e" +checksum = "b291546d5d9d1eab74f069c77749f2cb8504a12caa20f0f2de93ddbf6f411888" dependencies = [ - "ring", - "untrusted", + "rustls-webpki", ] [[package]] name = "webpki-roots" -version = "0.22.6" +version = "0.25.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b6c71e40d7d2c34a5106301fb632274ca37242cd0c9d3e64dbece371a40a2d87" -dependencies = [ - "webpki", -] +checksum = "5f20c57d8d7db6d3b86154206ae5d8fba62dd39573114de97c2cb0578251f8e1" [[package]] name = "weezl" diff --git a/Cargo.toml b/Cargo.toml index 47f57e010e7b..74df6328a447 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -213,10 +213,10 @@ time = { version = "0.3", default-features = false, features = [ tinyvec = { version = "1.6", features = ["alloc", "rustc_1_55"] } tobj = "4.0" tokio = { version = "1.24", default-features = false } -tokio-tungstenite = { version = "0.17.1", default-features = false } +tokio-tungstenite = { version = "0.20.0", default-features = false } toml = { version = "0.7.8", default-features = false } tracing = { version = "0.1", default-features = false } -tungstenite = { version = "0.17", default-features = false } +tungstenite = { version = "0.20", default-features = false } type-map = "0.5" typenum = "1.15" unindent = "0.2" diff --git a/crates/re_ws_comms/Cargo.toml b/crates/re_ws_comms/Cargo.toml index 04f6d42e8434..d581e475a60d 100644 --- a/crates/re_ws_comms/Cargo.toml +++ b/crates/re_ws_comms/Cargo.toml @@ -63,7 +63,9 @@ futures-util = { workspace = true, optional = true, default-features = false, fe "std", ] } parking_lot = { workspace = true, optional = true } -tokio-tungstenite = { workspace = true, optional = true } +tokio-tungstenite = { workspace = true, optional = true, features = [ + "handshake", +] } tokio = { workspace = true, optional = true, features = [ "io-std", "macros", diff --git a/deny.toml b/deny.toml index f977cc685799..8bf1bbd51445 100644 --- a/deny.toml +++ b/deny.toml @@ -26,10 +26,7 @@ targets = [ vulnerability = "deny" unmaintained = "warn" yanked = "deny" -ignore = [ - "RUSTSEC-2023-0052", # https://rustsec.org/advisories/RUSTSEC-2023-0052 - webpki: CPU denial of service in certificate path building - can be fixed by `cargo update -p ureq`, but then we run into duplicate crates: https://github.com/algesten/ureq/issues/653 - "RUSTSEC-2023-0065", # https://rustsec.org/advisories/RUSTSEC-2023-0065 - Tungstenite WebSocket server can be DOS-attacked by malicious clients -] +ignore = [] [bans] multiple-versions = "deny" @@ -56,6 +53,7 @@ skip = [ { name = "raw-window-handle" }, # Pretty small crate; some crates still on old version { name = "redox_syscall" }, # Plenty of versions in the wild { name = "spin" }, # Old version used by rusttls + { name = "webpki-roots" }, # ureq and tungstenite are on different version 😭 { name = "windows" }, # Old version used by accesskit_windows, newer version used by wgpu ] skip-tree = [