Skip to content

Upgrade tink-rust version#12261

Merged
Legoben merged 2 commits into
masterfrom
bens/tink-upgrade
Jun 5, 2026
Merged

Upgrade tink-rust version#12261
Legoben merged 2 commits into
masterfrom
bens/tink-upgrade

Conversation

@Legoben
Copy link
Copy Markdown
Contributor

@Legoben Legoben commented Jun 5, 2026

Description

Linked Issue

  • The linked issue is labeled ready-to-spec or ready-to-implement.
  • Where appropriate, screenshots or a short video of the implementation are included below (especially for user-visible or UI changes).

Testing

  • I have manually tested my changes locally with ./script/run

Screenshots / Videos

Agent Mode

  • Warp Agent Mode - This PR was created via Warp's AI Agent Mode

@cla-bot cla-bot Bot added the cla-signed label Jun 5, 2026
@oz-for-oss
Copy link
Copy Markdown
Contributor

oz-for-oss Bot commented Jun 5, 2026
edited
Loading

@Legoben

I'm starting a first review of this pull request.

You can view the conversation on Warp.

I completed the review and no human review was requested for this pull request.

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

oz-for-oss[bot]
oz-for-oss Bot reviewed Jun 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@oz-for-oss oz-for-oss Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overview

This PR updates the tink-rust patches from warpdotdev/main to warpdotdev/v0.3.0-eecf54c, with the lockfile moving the Tink crates to commit 54b9ac9af93b0c08b446a7bc0582836c9403a71b and picking up the associated serde_json/zmij lockfile changes. No approved spec context was provided, and the change is not user-visible.

Concerns

  • The Tink patches still use a mutable branch in Cargo.toml; pinning the reviewed commit would make future lockfile refreshes deterministic for this crypto dependency.

Security

  • Supply-chain hardening: pin the exact reviewed Tink commit with rev instead of relying on a branch name.

Verdict

Found: 0 critical, 0 important, 1 suggestions

Approve with nits

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

Comment thread Cargo.toml Outdated
Comment on lines +524 to +526
tink-core = { git = "https://github.com/warpdotdev/tink-rust", branch = "warpdotdev/v0.3.0-eecf54c" }
tink-proto = { git = "https://github.com/warpdotdev/tink-rust", branch = "warpdotdev/v0.3.0-eecf54c" }
tink-hybrid = { git = "https://github.com/warpdotdev/tink-rust", branch = "warpdotdev/v0.3.0-eecf54c" }
Copy link
Copy Markdown
Contributor

@oz-for-oss oz-for-oss Bot Jun 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 [SUGGESTION] [SECURITY] These crypto dependencies still resolve from a mutable branch; pin the reviewed commit with rev so future lockfile refreshes cannot silently move Tink code.

Suggested change
tink-core = { git = "https://github.com/warpdotdev/tink-rust", branch = "warpdotdev/v0.3.0-eecf54c" }
tink-proto = { git = "https://github.com/warpdotdev/tink-rust", branch = "warpdotdev/v0.3.0-eecf54c" }
tink-hybrid = { git = "https://github.com/warpdotdev/tink-rust", branch = "warpdotdev/v0.3.0-eecf54c" }
tink-core = { git = "https://github.com/warpdotdev/tink-rust", rev = "54b9ac9af93b0c08b446a7bc0582836c9403a71b" }
tink-proto = { git = "https://github.com/warpdotdev/tink-rust", rev = "54b9ac9af93b0c08b446a7bc0582836c9403a71b" }
tink-hybrid = { git = "https://github.com/warpdotdev/tink-rust", rev = "54b9ac9af93b0c08b446a7bc0582836c9403a71b" }

@Legoben Legoben requested a review from liliwilson June 5, 2026 19:04
@Legoben Legoben merged commit 2bb3a04 into master Jun 5, 2026
26 checks passed
@Legoben Legoben deleted the bens/tink-upgrade branch June 5, 2026 19:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oz-for-oss oz-for-oss[bot] oz-for-oss[bot] left review comments

@liliwilson liliwilson liliwilson approved these changes

Assignees

No one assigned

Labels

cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Legoben @liliwilson