Skip to content

chore(deps): ignore RUSTSEC-2026-0049 (rustls-webpki) until rustls can be upgraded#24986

Merged
pront merged 2 commits into
masterfrom
pront-fix-deny-advisories
Mar 23, 2026
Merged

chore(deps): ignore RUSTSEC-2026-0049 (rustls-webpki) until rustls can be upgraded#24986
pront merged 2 commits into
masterfrom
pront-fix-deny-advisories

Conversation

@pront
Copy link
Copy Markdown
Member

@pront pront commented Mar 23, 2026
edited by thomasqueirozb
Loading

Summary

make check-deny fails due to RUSTSEC-2026-0049 (rustls-webpki 0.101.7): a vulnerability where certificates with multiple CRL distribution points only have the first one checked, so subsequent CRLs can be silently skipped for revocation. The fix requires rustls-webpki >= 0.103.10, which means upgrading rustls from 0.21 to 0.23+ — a significant chain that touches aws-smithy-http-client, hyper-rustls, tokio-rustls, and tokio-tungstenite.

Some crates have not yet updated to rustls-webpki >= 0.103.10, such as async-nats. Others are permanently stuck on older versions of rustls since we're using very outdated versions, like tonic/reqwest/bollard/etc. These depend on the http 1.0 upgrade

Vector configuration

N/A

How did you test this PR?

make check-deny

Output: advisories ok, bans ok, licenses ok, sources ok

Change Type

  • Bug fix
  • New feature
  • Dependencies
  • Non-functional (chore, refactoring, docs)
  • Performance

Is this a breaking change?

  • Yes
  • No

Does this PR include user facing changes?

  • Yes. Please add a changelog fragment based on our guidelines.
  • No. A maintainer will apply the no-changelog label to this PR.

References

@pront @claude
chore: ignore new RUSTSEC advisories that cannot be immediately fixed
6aa1447 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@pront pront requested a review from a team as a code owner March 23, 2026 15:03
@pront @claude
chore: remove RUSTSEC-2026-0058 ignore, addressed by #24975
c804e64 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@pront pront changed the title chore: ignore new RUSTSEC advisories that cannot be immediately fixed chore: ignore RUSTSEC-2026-0049 (rustls-webpki) until rustls can be upgraded Mar 23, 2026
@pront pront added the no-changelog Changes in this PR do not need user-facing explanations in the release changelog label Mar 23, 2026
@pront pront changed the title chore: ignore RUSTSEC-2026-0049 (rustls-webpki) until rustls can be upgraded chore(deps): ignore RUSTSEC-2026-0049 (rustls-webpki) until rustls can be upgraded Mar 23, 2026
@pront pront marked this pull request as draft March 23, 2026 16:57
@pront pront marked this pull request as ready for review March 23, 2026 20:21
@pront pront added this pull request to the merge queue Mar 23, 2026
Merged via the queue into master with commit f62a9ff Mar 23, 2026
73 of 78 checks passed
@pront pront deleted the pront-fix-deny-advisories branch March 23, 2026 20:26
@github-actions github-actions Bot locked and limited conversation to collaborators Mar 23, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@thomasqueirozb thomasqueirozb thomasqueirozb approved these changes

Assignees

No one assigned

Labels

no-changelog Changes in this PR do not need user-facing explanations in the release changelog

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pront @thomasqueirozb