Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): Update yanked versions of cpufeatures (orchard/aes), ed25519 (tor), and quick-xml (flamegraph) #5308

Merged
merged 1 commit into from Oct 4, 2022
Merged

fix(deps): Update yanked versions of cpufeatures (orchard/aes), ed25519 (tor), and quick-xml (flamegraph) #5308

merged 1 commit into from Oct 4, 2022

Conversation

teor2345
Copy link
Contributor

@teor2345 teor2345 commented Oct 2, 2022
edited

Motivation

Some of Zebra's transitive dependencies have been yanked (unpublished on crates.io).

The latest versions fix a miscompile that causes crashes in cryptographic code, and other bugs.

This fixes compilation warnings like:

Warning: warning: package ed25519 v1.4.0 in Cargo.lock is yanked in registry crates-io, consider running without --locked

https://github.com/ZcashFoundation/zebra/actions/runs/3150408776/jobs/5123159992#step:4:18

https://github.com/ZcashFoundation/zebra/actions/runs/3170245187

Solution

Use cargo update -p <crate-name> to update each of these dependencies to the latest version in Cargo.lock.

(We don't depend on them directly, so we can't update Cargo.toml to fix them.)

Review

This is a high priority because it might be a cause of #5091.

(These dependencies are not used by the download code, but they are in the same crate. So it's unlikely but possible.)

Reviewer Checklist

  • Will the PR name make sense to users?
    • Does it need extra CHANGELOG info? (new features, breaking changes, large changes)
  • Are the PR labels correct?
  • Does the code do what the ticket and PR says?
  • How do you know it works? Does it have tests?

@teor2345 teor2345 added C-bug Category: This is a bug A-dependencies Area: Dependency file updates A-rust Area: Updates to Rust code P-High 🔥 C-security Category: Security issues I-crash Zebra crashes (without a panic) I-memory-safety Vulnerable code in Zebra or dependencies labels Oct 2, 2022
@teor2345 teor2345 requested a review from a team as a code owner October 2, 2022 23:43
@teor2345 teor2345 self-assigned this Oct 2, 2022
@teor2345 teor2345 requested review from oxarbitrage and removed request for a team October 2, 2022 23:43
@github-actions github-actions bot added the C-feature Category: New features label Oct 2, 2022
@codecov
Copy link

codecov bot commented Oct 3, 2022

Codecov Report

Merging #5308 (34585ff) into main (9849d14) will decrease coverage by 0.04%.
The diff coverage is n/a.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #5308      +/-   ##
==========================================
- Coverage   79.15%   79.10%   -0.05%     
==========================================
  Files         308      308              
  Lines       39479    39560      +81     
==========================================
+ Hits        31248    31294      +46     
- Misses       8231     8266      +35

mergify bot added a commit that referenced this pull request Oct 3, 2022
@mergify
Merge of #5308
8e991ed
@mergify mergify bot mentioned this pull request Oct 3, 2022
Closed
@teor2345
Copy link
Contributor Author

teor2345 commented Oct 4, 2022

Failed due to db_init_outside_future_executor, which is fixed on main:
https://github.com/ZcashFoundation/zebra/actions/runs/3178286290/jobs/5179623991#step:10:3727

And local_listener_fixed_port_localhost_addr_v4, which is #4999:
https://github.com/ZcashFoundation/zebra/actions/runs/3178286293/jobs/5180152372#step:3:3344

@teor2345
Copy link
Contributor Author

teor2345 commented Oct 4, 2022

@Mergifyio refresh

@mergify
Copy link
Contributor

mergify bot commented Oct 4, 2022

refresh

✅ Pull request refreshed

mergify bot added a commit that referenced this pull request Oct 4, 2022
@mergify
Merge of #5308
5a14772
@mergify mergify bot mentioned this pull request Oct 4, 2022
Closed
@mergify mergify bot merged commit 9f6a1fd into main Oct 4, 2022
@mergify mergify bot deleted the fix-transitive-deps branch October 4, 2022 07:31
@daira daira mentioned this pull request Oct 8, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dconnolly dconnolly dconnolly approved these changes

@oxarbitrage oxarbitrage Awaiting requested review from oxarbitrage oxarbitrage is a code owner automatically assigned from ZcashFoundation/general-rust-reviewers

Assignees

@teor2345 teor2345

Labels
A-dependencies Area: Dependency file updates A-rust Area: Updates to Rust code C-bug Category: This is a bug C-feature Category: New features C-security Category: Security issues I-crash Zebra crashes (without a panic) I-memory-safety Vulnerable code in Zebra or dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@teor2345 @dconnolly