Bump rustls-webpki to 0.103.13#1062
Merged
ladvoc merged 3 commits intolivekit:mainfrom May 8, 2026
Merged
Conversation
This change bumps rustls-webpki from 0.101.7 to 0.103.13, to address GHSA-82j2-j2ch-gfr8. The change is mostly mechanical, but involved upgrading several related crates, and taking an explicit dependency on `bytes`: - tokio-tungstenite: 0.20 -> 0.29 - async-tungstenite: 0.25 -> 0.29 - tokio-rustls: 0.24 -> 0.26 - rustls-native-certs: 0.6 -> 0.8 I'm not sure of the best way to test this change. In particular, the proxy + wss:// + rustls-tls-native-roots portion doesn't seem to have any automated test coverage. Unfortunately, this is the portion most heavily impacted by the upgrade. Note that `rustls-native-certs` changed `load_native_certs` to return a `CertificateResult { certs, errors }` instead of a `Result`, which means that a single unparseable trust-store entry no longer fails the whole load. The proxy-TLS path now logs errors and fails only when `certs` is empty, which mirrors [the way that `tokio-tungstenite` does things]( https://github.com/snapview/tokio-tungstenite/blob/751d7e2bc26e5de302f4a79907b6949bf00e0043/src/tls.rs#L98-L113). This is strictly more permissive than the previous code.
Contributor
|
@gasmith, thank you for your contribution! We will validate this to make sure there are no regressions and get it merged ASAP. |
Contributor
|
@gasmith, please add the following changeset at ---
livekit-ffi: minor
livekit: patch
livekit-api: minor
---
# Bump `rustls-webpki` to 0.103.13, addressing [GHSA-82j2-j2ch-gfr8](https://github.com/advisories/GHSA-82j2-j2ch-gfr8) |
ladvoc
approved these changes
May 7, 2026
Contributor
Author
Done! Thanks for the quick review. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Before you submit your PR
Make sure the following is true before submitting your PR:
PR description
This change bumps rustls-webpki from 0.101.7 to 0.103.13, to address GHSA-82j2-j2ch-gfr8 and fixes #1058.
The change is mostly mechanical, but involved upgrading several related crates, and taking an explicit dependency on
bytes:Note that
rustls-native-certschangedload_native_certsto return aCertificateResult { certs, errors }instead of aResult, which means that a single unparseable trust-store entry no longer fails the whole load. The proxy-TLS path now logs errors and fails only whencertsis empty, which mirrors the way thattokio-tungstenitedoes things. This is strictly more permissive than the previous code.Breaking changes
Nothing serious. Technically,
tungstenite::Error(which experienced breaking changes) is leaked throughSignalError::WsError, but it's unlikely anyone is actually using that. It's not documented, and it's not leaked (in a reachable way) through thelivekitcrate. This would only impact crates that depend onlivekit-apidirectly.MSRV
No impact
Testing
I'm not sure of the best way to test this change. In particular, the proxy + wss:// + rustls-tls-native-roots portion doesn't seem to have any automated test coverage. Unfortunately, this is the portion most heavily impacted by the upgrade.