deps: upgrade Tokio 1.21.0 -> 1.24.1 #1877
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This branch updates the
Cargo.lock
file with the output produced bycargo update -p tokio
, updating Tokio from 1.21.0 to 1.24.1.Notably this resolves RUSTSEC-2023-0001, which was previously flagged in CI by
cargo audit
.Note to reviewers
As a word of warning, there's a decent number of commits between these two tags and the vuln itself seems uninteresting for trust-dns. I'm probably too new to this codebase and the Tokio ecosystem to safely vet the update beyond saying that
cargo make test
passes locally, so this may require more analysis by a maintainer. It's also possible we could specify a more precise version tocargo update -p tokio
to resolve the vuln with less of a semver jump.Cargo audit
tip of main cargo audit output
branch cargo audit output: