Summary
Two categories of security vulnerabilities in transitive Rust dependencies cannot be resolved at the project level without upstream crate authors releasing new versions.
rustls-webpki 0.101.7 (Dependabot alerts #19, #20)
CVEs: webpki name constraint issues (fixed in 0.103.12+)
Root cause: The AWS SDK still ships rustls 0.21 support for backward compatibility with hyper 0.14:
aws-smithy-http-client 1.1.12
└─ hyper-rustls 0.24.2
└─ rustls 0.21.12
└─ rustls-webpki 0.101.7
The rustls-webpki 0.103.x instance has been updated to 0.103.13 (≥ required fix version). The 0.101.7 instance cannot be removed without the AWS SDK dropping its hyper 0.14 / rustls 0.21 compatibility shim.
Workaround: None available in this project. Monitor aws-sdk-rust releases for when they drop the rustls 0.21 path.
rand 0.8.6 (transitive only — no separate Dependabot alert)
CVE: Unsoundness with custom logger using rand::rng() (affects 0.9.x / 0.10.x series; 0.8.x is a separate semver series)
Root cause: Several upstream crates still depend on rand 0.8:
| Crate |
Version |
Status |
age |
0.11.2 |
No 0.12 release yet upgrading to rand 0.9+ |
tera |
1.20.1 |
Latest 1.x still uses rand 0.8 |
phf_generator |
0.11.3 |
Latest 0.11 still uses rand 0.8 |
The rand 0.9.x and 0.10.x instances have been updated to 0.9.4 and 0.10.1 respectively (resolving alerts #16 and #17). The 0.8.6 presence is collateral from these upstream crates.
Workaround: None. Monitor upstream for new major versions of age, tera, and/or phf.
Action needed
Summary
Two categories of security vulnerabilities in transitive Rust dependencies cannot be resolved at the project level without upstream crate authors releasing new versions.
rustls-webpki 0.101.7 (Dependabot alerts #19, #20)
CVEs: webpki name constraint issues (fixed in 0.103.12+)
Root cause: The AWS SDK still ships
rustls 0.21support for backward compatibility withhyper 0.14:The
rustls-webpki 0.103.xinstance has been updated to 0.103.13 (≥ required fix version). The 0.101.7 instance cannot be removed without the AWS SDK dropping itshyper 0.14/rustls 0.21compatibility shim.Workaround: None available in this project. Monitor aws-sdk-rust releases for when they drop the
rustls 0.21path.rand 0.8.6 (transitive only — no separate Dependabot alert)
CVE: Unsoundness with custom logger using
rand::rng()(affects 0.9.x / 0.10.x series; 0.8.x is a separate semver series)Root cause: Several upstream crates still depend on
rand 0.8:ageteraphf_generatorThe
rand 0.9.xand0.10.xinstances have been updated to 0.9.4 and 0.10.1 respectively (resolving alerts #16 and #17). The 0.8.6 presence is collateral from these upstream crates.Workaround: None. Monitor upstream for new major versions of
age,tera, and/orphf.Action needed
hyper 0.14/rustls 0.21compatage,tera, and/orphfrelease versions usingrand 0.9+