Update tungstenite to remove RUSTSEC warning (#5200)

### What * Closes #5198 ### Checklist * [x] I have read and agree to [Contributor Guide](https://github.com/rerun-io/rerun/blob/main/CONTRIBUTING.md) and the [Code of Conduct](https://github.com/rerun-io/rerun/blob/main/CODE_OF_CONDUCT.md) * [x] I've included a screenshot or gif (if applicable) * [x] I have tested the web demo (if applicable): * Using newly built examples: [app.rerun.io](https://app.rerun.io/pr/5200/index.html) * Using examples from latest `main` build: [app.rerun.io](https://app.rerun.io/pr/5200/index.html?manifest_url=https://app.rerun.io/version/main/examples_manifest.json) * Using full set of examples from `nightly` build: [app.rerun.io](https://app.rerun.io/pr/5200/index.html?manifest_url=https://app.rerun.io/version/nightly/examples_manifest.json) * [x] The PR title and labels are set such as to maximize their usefulness for the next release's CHANGELOG * [x] If applicable, add a new check to the [release checklist](https://github.com/rerun-io/rerun/blob/main/tests/python/release_checklist)! * [x] Test - [PR Build Summary](https://build.rerun.io/pr/5200) - [Docs preview](https://rerun.io/preview/029e67941c7494d4c4c1cfbd98c6bf8401e5892b/docs)  - [Examples preview](https://rerun.io/preview/029e67941c7494d4c4c1cfbd98c6bf8401e5892b/examples)  - [Recent benchmark results](https://build.rerun.io/graphs/crates.html) - [Wasm size tracking](https://build.rerun.io/graphs/sizes.html)
rerun-io · Feb 15, 2024 · d3f5b7c · d3f5b7c
1 parent 1e5f933
commit d3f5b7c
Show file tree

Hide file tree

Showing 4 changed files with 60 additions and 55 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -213,10 +213,10 @@ time = { version = "0.3", default-features = false, features = [
 tinyvec = { version = "1.6", features = ["alloc", "rustc_1_55"] }
 tobj = "4.0"
 tokio = { version = "1.24", default-features = false }
-tokio-tungstenite = { version = "0.17.1", default-features = false }
+tokio-tungstenite = { version = "0.20.0", default-features = false }
 toml = { version = "0.7.8", default-features = false }
 tracing = { version = "0.1", default-features = false }
-tungstenite = { version = "0.17", default-features = false }
+tungstenite = { version = "0.20", default-features = false }
 type-map = "0.5"
 typenum = "1.15"
 unindent = "0.2"

diff --git a/crates/re_ws_comms/Cargo.toml b/crates/re_ws_comms/Cargo.toml
@@ -63,7 +63,9 @@ futures-util = { workspace = true, optional = true, default-features = false, fe
   "std",
 ] }
 parking_lot = { workspace = true, optional = true }
-tokio-tungstenite = { workspace = true, optional = true }
+tokio-tungstenite = { workspace = true, optional = true, features = [
+  "handshake",
+] }
 tokio = { workspace = true, optional = true, features = [
   "io-std",
   "macros",

diff --git a/deny.toml b/deny.toml
@@ -26,10 +26,7 @@ targets = [
 vulnerability = "deny"
 unmaintained = "warn"
 yanked = "deny"
-ignore = [
-  "RUSTSEC-2023-0052", # https://rustsec.org/advisories/RUSTSEC-2023-0052 - webpki: CPU denial of service in certificate path building - can be fixed by `cargo update -p ureq`, but then we run into duplicate crates: https://github.com/algesten/ureq/issues/653
-  "RUSTSEC-2023-0065", # https://rustsec.org/advisories/RUSTSEC-2023-0065 - Tungstenite WebSocket server can be DOS-attacked by malicious clients
-]
+ignore = []
 
 [bans]
 multiple-versions = "deny"
@@ -56,6 +53,7 @@ skip = [
   { name = "raw-window-handle" }, # Pretty small crate; some crates still on old version
   { name = "redox_syscall" },     # Plenty of versions in the wild
   { name = "spin" },              # Old version used by rusttls
+  { name = "webpki-roots" },      # ureq and tungstenite are on different version 😭
   { name = "windows" },           # Old version used by accesskit_windows, newer version used by wgpu
 ]
 skip-tree = [