Upgrade all dependencies#1120
Conversation
We're keeping RustCrypto crates back during the hybrid array transition: - aes to 0.8.4 - cbc to 0.1.2 - crypto-common to 0.1.7 - digest to 0.10.7 - hkdf to 0.12.4 - hmac to 0.12.1 - sha2 to 0.10.9 - signature to 2.2.0 We're also keeping the OpenTitan submodule back. It will be bumped in a separate PR.
There was a problem hiding this comment.
Code Review
This pull request updates numerous dependencies across the workspace, including upgrading spin to 0.12.0, tokio to 1.52.3, and wasmtime to 45.0.0, alongside bumping the nightly Rust toolchain version. However, a critical security vulnerability was flagged in the upgrade of the riscv crate to 0.16.1 in crates/runner-opentitan, which introduces pastey—a highly suspicious and potentially malicious typo-squatting crate—instead of the standard paste crate. It is strongly recommended to revert this upgrade immediately to prevent supply chain risks.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
HWCI passed on Nordic and OpenTitan (with #1121). |
We're keeping RustCrypto crates back during the hybrid array transition:
We're also keeping the OpenTitan submodule back. It will be bumped in a separate PR.