Upgrading from crossbeam-utils 0.7

[SimonSapin]

Dependabots reports that we may be affected by GHSA-qc84-gqf4-9926. In order to remove crossbeam-utils 0.7.x from our dependency graph we would need for moka to upgrade its crossbeam-epoch dependency, which is unfortunately blocked at the moment.

https://github.com/moka-rs/moka/blob/v0.8.6/Cargo.toml#L52-L55
moka-rs/moka#34 (comment)

However this crossbeam-utils 0.7 issue only occurs on 32-bit platform. It is unlikely that any router user targets such a platform, but we could add something to artificially make compilation warn or fail in that case.

[tatsuya6502]

I did a bit of digging on this, and now I believe Apollo router is not affected by GHSA-qc84-gqf4-9926 at all, even for those target platforms. I am currently confirming this to the creators of crossbeam-* crates via crossbeam-rs/crossbeam#860.

Here is a summary:

• Dependency graph:
  • router → moka v0.8.6 → crossbeam-epoch v0.8.2 → crossbeam-utils v0.7.2 with GHSA-qc84-gqf4-9926.
• From the advisory:

  • Crates using fetch_* methods with AtomicCell<{i,u}64> are affected by this issue.

  • I found that crossbeam-epoch v0.8.2 does not use crossbeam_utils::AtomicCell, so it is not affected.

I am also asking the crossbeam creators if they can publish a new v0.8.x of crossbeam-epoch, which depends on a fixed version of crossbeam-utils (although crossbeam-epoch v0.8.2 is not affected). I think this will be an easy way to make GitHub Dependabot happy.

I will let you know if I get any response from them.

[tatsuya6502]

Hi. I fixed the blocking issue in moka (moka-rs/moka#34 (comment)). So I was able to upgrade moka's crossbeam-epoch dependency to the latest version to remove crossbeam-utils 0.7.x from the dependency graph.

I published moka v0.9.2 to crates.io with the fix for the issue and the upgraded dependency. Please upgrade your moka dependency to v0.9.2 when you have a chance.

[SimonSapin]

This is great, thank you!