Skip to content

Bump transitive rustls-webpki dependency#165

Merged
MDLC01 merged 1 commit into
typst:mainfrom
T0mstone:main
May 17, 2026
Merged

Bump transitive rustls-webpki dependency#165
MDLC01 merged 1 commit into
typst:mainfrom
T0mstone:main

Conversation

@T0mstone
Copy link
Copy Markdown
Collaborator

@T0mstone T0mstone commented May 12, 2026

...so that I can stop getting the annoying dependabot alert E-mails.
(I also considered changing my notif settings, but since there's apparently a vulnerability, why not stop people from running vulnerable code when running the tests that fetch something from the web)

We can then later remove the extra dependency line again after ureq updates its rustls dependency and we update to that newer ureq version.

@T0mstone T0mstone added the meta Discussion about the structure of this repo label May 12, 2026
@MDLC01
Copy link
Copy Markdown
Collaborator

MDLC01 commented May 12, 2026

I don't understand why we need rustls-webpki even though it's not used in the code

@T0mstone
Copy link
Copy Markdown
Collaborator Author

T0mstone commented May 12, 2026

It's a transitive dependency (ureq depends on rustls, which depends on rustls-webpki). Adding an it as an explicit dependency tells Cargo's version resolver to use that version as the minimum, which is higher than what it would otherwise have chosen.

MDLC01
MDLC01 reviewed May 13, 2026
View reviewed changes
Comment thread Cargo.toml Outdated
@MDLC01
Copy link
Copy Markdown
Collaborator

MDLC01 commented May 17, 2026

Let's merge this before we get any further Dependabot e-mails.

@MDLC01 MDLC01 merged commit 18a4ea3 into typst:main May 17, 2026
2 checks passed
@laurmaedje
Copy link
Copy Markdown
Member

laurmaedje commented May 18, 2026

It's a transitive dependency (ureq depends on rustls, which depends on rustls-webpki). Adding an it as an explicit dependency tells Cargo's version resolver to use that version as the minimum, which is higher than what it would otherwise have chosen.

It's not really necessary to add it. You can just run cargo update -p rustls-webpki to bump the transitive dep in Cargo.lock. This will not affect library consumers, but those would be expected to update their own lock files.

@MDLC01
Copy link
Copy Markdown
Collaborator

MDLC01 commented May 18, 2026

Let's remove it next time we update Cargo.toml then, as it's not causing any issue right now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MDLC01 MDLC01 MDLC01 approved these changes

@mkorje mkorje mkorje approved these changes

Assignees

No one assigned

Labels

meta Discussion about the structure of this repo

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@T0mstone @MDLC01 @laurmaedje @mkorje