From 126cfea4ccd86c29cbc1f60c7abbc43d87c1fcaf Mon Sep 17 00:00:00 2001 From: Adam Kern Date: Wed, 21 May 2025 23:03:38 -0400 Subject: [PATCH 1/2] Fixes dependabot issues, mostly via lockfile Specifically, deals with CVE-2025-4574, GHSA-4fcv-w3qc-ppgg, and GHSA-255r-3prx-mf99 --- Cargo.lock | 27 +++++++++++++++++---------- crates/serialization-tests/Cargo.toml | 4 ++-- 2 files changed, 19 insertions(+), 12 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index d1a513a74..92ea77608 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -173,9 +173,9 @@ checksum = "790eea4361631c5e7d22598ecd5723ff611904e3344ce8720784c93e3d83d40b" [[package]] name = "crossbeam-channel" -version = "0.5.14" +version = "0.5.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "06ba6d68e24814cb8de6bb986db8222d3a027d15872cabc0d18817bc3c0e4471" +checksum = "82b8f8f868b36967f9606790d1903570de9ceaf870a7bf9fbbd3016d636a2cb2" dependencies = [ "crossbeam-utils", ] @@ -593,9 +593,9 @@ dependencies = [ [[package]] name = "openssl" -version = "0.10.71" +version = "0.10.72" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5e14130c6a98cd258fdcb0fb6d744152343ff729cbfcb28c656a9d12b999fbcd" +checksum = "fedfea7d58a1f73118430a55da6a286e7b044961736ce96a16a17068ea25e5da" dependencies = [ "bitflags", "cfg-if", @@ -625,9 +625,9 @@ checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e" [[package]] name = "openssl-sys" -version = "0.9.106" +version = "0.9.108" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8bb61ea9811cc39e3c2069f40b8b8e2e70d8569b361f879786cc7ed48b777cdd" +checksum = "e145e1651e858e820e4860f7b9c5e169bc1d8ce1c86043be79fa7b7634821847" dependencies = [ "cc", "libc", @@ -641,6 +641,12 @@ version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d" +[[package]] +name = "paste" +version = "1.0.15" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a" + [[package]] name = "percent-encoding" version = "2.3.1" @@ -822,19 +828,20 @@ dependencies = [ [[package]] name = "rmp" -version = "0.8.10" +version = "0.8.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4f55e5fa1446c4d5dd1f5daeed2a4fe193071771a2636274d0d7a3b082aa7ad6" +checksum = "228ed7c16fa39782c3b3468e974aec2795e9089153cd08ee2e9aefb3613334c4" dependencies = [ "byteorder", "num-traits", + "paste", ] [[package]] name = "rmp-serde" -version = "0.14.4" +version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4ce7d70c926fe472aed493b902010bccc17fa9f7284145cb8772fd22fdb052d8" +checksum = "52e599a477cf9840e92f2cde9a7189e67b42c57532749bf90aea6ec10facd4db" dependencies = [ "byteorder", "rmp", diff --git a/crates/serialization-tests/Cargo.toml b/crates/serialization-tests/Cargo.toml index be7c4c17b..de78fb586 100644 --- a/crates/serialization-tests/Cargo.toml +++ b/crates/serialization-tests/Cargo.toml @@ -19,6 +19,6 @@ ron = { version = "0.8.1" } [dev-dependencies] serde_json = { version = "1.0.40" } # Old version to work with Rust 1.64+ -rmp = { version = "=0.8.10" } +rmp = { version = "0.8.10" } # Old version to work with Rust 1.64+ -rmp-serde = { version = "0.14" } +rmp-serde = { version = "1.3" } From 91e4ddea71a1a8e73bef061d600399cfa2647780 Mon Sep 17 00:00:00 2001 From: Adam Kern Date: Wed, 21 May 2025 23:09:42 -0400 Subject: [PATCH 2/2] Fixes msrv issue with rmp on serialization-tests --- Cargo.lock | 8 ++++---- crates/serialization-tests/Cargo.toml | 7 ++++--- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 92ea77608..a4c37d21b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -828,9 +828,9 @@ dependencies = [ [[package]] name = "rmp" -version = "0.8.14" +version = "0.8.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "228ed7c16fa39782c3b3468e974aec2795e9089153cd08ee2e9aefb3613334c4" +checksum = "bddb316f4b9cae1a3e89c02f1926d557d1142d0d2e684b038c11c1b77705229a" dependencies = [ "byteorder", "num-traits", @@ -839,9 +839,9 @@ dependencies = [ [[package]] name = "rmp-serde" -version = "1.3.0" +version = "1.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "52e599a477cf9840e92f2cde9a7189e67b42c57532749bf90aea6ec10facd4db" +checksum = "bffea85eea980d8a74453e5d02a8d93028f3c34725de143085a844ebe953258a" dependencies = [ "byteorder", "rmp", diff --git a/crates/serialization-tests/Cargo.toml b/crates/serialization-tests/Cargo.toml index de78fb586..4ad165f39 100644 --- a/crates/serialization-tests/Cargo.toml +++ b/crates/serialization-tests/Cargo.toml @@ -18,7 +18,8 @@ ron = { version = "0.8.1" } [dev-dependencies] serde_json = { version = "1.0.40" } +# >=0.8.11 to avoid rmp-serde security vulnerability +# <0.8.14 to allows MSRV 1.64.0 +rmp = { version = ">=0.8.11,<0.8.14" } # Old version to work with Rust 1.64+ -rmp = { version = "0.8.10" } -# Old version to work with Rust 1.64+ -rmp-serde = { version = "1.3" } +rmp-serde = { version = ">=1.1.1" }