chore(deps): bump openssl from 0.10.56 to 0.10.60 #4505
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.56 to 0.10.60. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](sfackler/rust-openssl@openssl-v0.10.56...openssl-v0.10.60) --- updated-dependencies: - dependency-name: openssl dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
requested review from
miguelff and
Weakky
and removed request for
a team
dependabot
bot
added
dependencies
CodSpeed Performance ReportMerging #4505 will not alter performanceComparing Summary
|
|
Triggered the integration release to run ecosystem-tests. |
|
Client tests: prisma/prisma#22195 Ecosystem-tests: https://github.com/prisma/ecosystem-tests/actions/runs/7063062620. All relevant ones (like the "docker" group and cloud databases) are passing, there are two unrelated failures (one seems to be a long filename issue on windows on the first glance, another one is driver-adapters-wasm so irrelevant here). |
|
The Windows-related failure in ecosystems is super weird, never seen that before. Just rerunning also did not just fix it (As did it for the DA test). |
| version = "111.27.0+1.1.1v" | ||
| version = "300.1.6+3.1.4" |
There was a problem hiding this comment.
This, for me, means we switch from OpenSSL 1.1.1v to 3.1.4.
Do we understand the implications fully? Asking before we merge this.
https://github.com/alexcrichton/openssl-src-rs
This crate follows the latest minor and patch versions for each maintained major version, according to the OpenSSL release strategy. It has no specific support for LTS versions.
The crate versions follow the X.Y.Z+B pattern:
The major version X is the upstream OpenSSL API/ABI compatibility version: 300 for 3.Y.Z The minor Y and patch Z versions are incremented when making changes to the crate, either OpenSSL update or internal changes. B contains the full upstream OpenSSL version, like 1.1.1k or 3.0.7. Note that this field is actually ignored in comparisons and only there for documentation.
There was a problem hiding this comment.
I explained before in slack but duplicating here for visibility:
There are no implications for our build targets that use dynamically linked OpenSSL as the version of vendored OpenSSL in openssl-sys crate is irrelevant there. For targets that use vendored OpenSSL (linux-static, *-openssl-1.0.x), it will upgrade the statically linked OpenSSL from 1.1 to 3, which is desired because 1.1 is EOL. This shouldn't have observable effects for our users.
There was a problem hiding this comment.
Why doing this in this unrelated PR though?
There was a problem hiding this comment.
It's not unrelated, it's a transitive dependency that got updated. The PR updated openssl from 0.10.56 to 0.10.60, newer version of openssl requires newer version of openssl-sys, so it got updated from 0.9.91 to 0.9.96, and newer version of openssl-sys requires newer version of openssl-src, so it got updated from 111.27.0+1.1.1v to 300.1.6+3.1.4.
Since the underlying version of OpenSSL is an implementation detail and does not change the API and behavior of the higher-level Rust wrapper in any breaking way, this is permitted by semver: a patch update of a library can update a major version of its dependency if it's an implementation detail.
There was a problem hiding this comment.
Also, like Jan noted, this test is always failing, no matter how many times we retry it
https://github.com/prisma/ecosystem-tests/actions/runs/7063062620/job/19278872864#step:8:103
+ pnpm prisma db push --force-reset
Prisma schema loaded from prisma\schema.prisma
Datasource "db": PostgreSQL database "migrate_db-seed-commonjs-pkg_windows-latest_library", schema "public" at "e2e-tests-postgres.cdoyhcosd7km.us-east-1.rds.amazonaws.com:5432"
Error: Schema engine exited. Error: Command failed with ENOENT: D:\a\ecosystem-tests\ecosystem-tests\migrate\db-seed-commonjs-pkg\node_modules\.pnpm\@prisma+engines@5.7.0-integration-engines-5-7-0-25-dependabot-cargo-openssl-0-10-60-9a053826a_czfxmwiqsnvqjr47krjrp2wvha\node_modules\@prisma\engines\schema-engine-windows.exe cli --datasource <REDACTED> can-connect-to-database
spawn D:\a\ecosystem-tests\ecosystem-tests\migrate\db-seed-commonjs-pkg\node_modules\.pnpm\@prisma+engines@5.7.0-integration-engines-5-7-0-25-dependabot-cargo-openssl-0-10-60-9a053826a_czfxmwiqsnvqjr47krjrp2wvha\node_modules\@prisma\engines\schema-engine-windows.exe ENOENT
|
Good catch, yes, let's nor merge this for the moment, until the failure test situation is figured out. |
|
It is a filename issue, here's the same failure for a no-op change with an identical branch name (prisma/prisma#22306): (https://github.com/prisma/ecosystem-tests/actions/runs/7129332373/job/19413251713) |
|
I'm going to go ahead and merge, please ping asap me if you notice any problems! |
|
Thanks! |
Bumps openssl from 0.10.56 to 0.10.60.
Release notes
Sourced from openssl's releases.
... (truncated)
Commits
8f4b97aMerge pull request #2104 from alex/bump-for-releasedf66283Release openssl v0.10.60 and openssl-sys v0.9.961a09dc8Merge pull request #2102 from sfackler/ex-leakb0a1da5Merge branch 'master' into ex-leakf456b60Merge pull request #2099 from alex/deprecate-store-ref-objectsa8413b8Merge pull request #2100 from alex/symm-update-uncheckeda92c237clippye839496Don't leak when overwriting ex data602d38dAddedupdate_uncheckedtosymm::Cryptercf9681afixes #2096 -- deprecateX509StoreRef::objects, it is unsoundDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.