Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update cargo-audit to rustset 0.29.2 #23795

Merged
merged 1 commit into from
May 23, 2024
Merged

Update cargo-audit to rustset 0.29.2 #23795

merged 1 commit into from
May 23, 2024

Conversation

rillian
Copy link
Contributor

@rillian rillian commented May 22, 2024
edited
Loading

Update Cargo.lock for our vendored cargo-audit to use rustsec 0.29.2 and its associated dependencies to pick up recent fixes.

Resolves

Submitter Checklist:

  • I confirm that no security/privacy review is needed and no other type of reviews are needed, or that I have requested them
  • There is a ticket for my issue
  • Used Github auto-closing keywords in the PR description above
  • Wrote a good PR/commit description
  • Squashed any review feedback or "fixup" commits before merge, so that history is a record of what happened in the repo, not your PR
  • Added appropriate labels (QA/Yes or QA/No; release-notes/include or release-notes/exclude; OS/...) to the associated issue
  • Checked the PR locally:
    • npm run test -- brave_browser_tests, npm run test -- brave_unit_tests wiki
    • npm run presubmit wiki, npm run gn_check, npm run tslint
  • Ran git rebase master (if needed)

Reviewer Checklist:

  • A security review is not needed, or a link to one is included in the PR description
  • New files have MPL-2.0 license header
  • Adequate test coverage exists to prevent regressions
  • Major classes, functions and non-trivial code blocks are well-commented
  • Changes in component dependencies are properly reflected in gn
  • Code follows the style guide
  • Test plan is specified in PR before merging

After-merge Checklist:

Test Plan:

@rillian
Update cargo-audit to rustset 0.29.2
1277c87 
Update Cargo.lock for our vendored `cargo-audit` to use rustsec 0.29.2
and it's associated dependencies to pick up recent fixes.
@rillian rillian self-assigned this May 22, 2024
@rillian rillian requested a review from a team as a code owner May 22, 2024 23:17
@github-actions github-actions bot added the CI/run-audit-deps Check for known npm/cargo vulnerabilities (audit_deps) label May 22, 2024
@github-actions GitHub Actions
Copy link
Contributor

[puLL-Merge] - brave/brave-core@23795

Description

This PR updates several dependencies in the Brave browser codebase, particularly around the gix family of crates and the rustls, hyper, and reqwest HTTP client libraries. The motivation seems to be bringing these dependencies up to their latest versions.

Changes

Changes

  • Cargo.lock: Updated the versions and dependencies for numerous crates, including:
    • Updated gix crates like gix, gix-actor, gix-hash, gix-index, gix-object, gix-pack etc to newer versions
    • Bumped hyper from 0.14 to 1.3.1 and updated its dependencies
    • Upgraded reqwest from 0.11 to 0.12
    • Upgraded rustls from 0.21 to 0.22
    • Added some new indirect dependencies like ahash, atomic-waker
    • Removed some unused dependencies like btoi, num-traits, sct

Overall this is a substantial update to modernize the browser's Rust dependencies, especially around Git functionality, HTTP communication and TLS.

Security Hotspots

The main security sensitive updates are to rustls, hyper and reqwest which handle network encryption and communication. However, these are mature and widely used libraries, so upgrading to their latest versions is more likely to improve security than introduce new issues.

Reviewing the detailed changelogs for these to understand any breaking changes or new behaviors would be prudent from a security perspective. For example, understanding the implications of the rustls 0.21 to 0.22 upgrade. But overall these updates look reasonable from a security point of view.

@rillian rillian enabled auto-merge May 22, 2024 23:20
@rillian rillian merged commit e1ab2d0 into master May 23, 2024
20 checks passed
@rillian rillian deleted the cargo-audit-rustsec-0.29.2 branch May 23, 2024 17:56
@github-actions github-actions bot added this to the 1.68.x - Nightly milestone May 23, 2024
@rillian rillian mentioned this pull request May 26, 2024
Merged
24 tasks
brave-builds added a commit that referenced this pull request May 28, 2024
@brave-builds
Uplift of #23795 (squashed) to beta
26b3801
@brave-builds brave-builds mentioned this pull request May 28, 2024
Merged
7 tasks
rillian added a commit that referenced this pull request May 28, 2024
@rillian
Update cargo-audit rustsec to 0.29.3
ef1b653 
Backport of #23834 and #23795 to 1.66.x.

Addresses:

- GHSA-7w47-3wg8-547c
- GHSA-49jc-r788-3fc9
- https://rustsec.org/advisories/RUSTSEC-2024-0335
- https://rustsec.org/advisories/RUSTSEC-2024-0332
- https://rustsec.org/advisories/RUSTSEC-2024-0336
kjozwiak pushed a commit that referenced this pull request May 28, 2024
@brave-builds @rillian
Update cargo-audit to rustset 0.29.3 (uplift to 1.67.x) (#23878)
afdd250 
* Uplift of #23795 (squashed) to beta

* Update cargo-audit to rustsec 0.29.3.

Update Cargo.lock for our vendored `cargo-audit` to pick up recent
fixes to the `gix` crate series.

Addresses GHSA-7w47-3wg8-547c and GHSA-49jc-r788-3fc9.

---------

Co-authored-by: Ralph Giles <rgiles@brave.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@antonok-edm antonok-edm antonok-edm approved these changes

@bridiver bridiver bridiver approved these changes

Assignees

@rillian rillian

Labels
CI/run-audit-deps Check for known npm/cargo vulnerabilities (audit_deps) puLL-Merge
Projects
None yet
Milestone
1.68.x - Release
Development

Successfully merging this pull request may close these issues.
3 participants
@rillian @bridiver @antonok-edm