fix security vulnerability RUSTSEC-2024-0421

CHANGELOG.md

@@ -4,6 +4,24 @@ This changelog documents the changes between release versions.
 
 ## [Unreleased]
 
+### Fixed
+
+- Upgrade dependencies to get fix for RUSTSEC-2024-0421, a vulnerability in domain name comparisons ([#138](https://github.com/hasura/ndc-mongodb/pull/138))
+
+#### Fix for RUSTSEC-2024-0421 / CVE-2024-12224
+
+Updates dependencies to upgrade the library, idna, to get a version that is not
+affected by a vulnerability reported in [RUSTSEC-2024-0421][].
+
+[RUSTSEC-2024-0421]: https://rustsec.org/advisories/RUSTSEC-2024-0421
+
+The vulnerability allows an attacker to craft a domain name that older versions
+of idna interpret as identical to a legitimate domain name, but that is in fact
+a different name. We do not expect that this impacts the MongoDB connector since
+it uses the affected library exclusively to connect to MongoDB databases, and
+database URLs are supplied by trusted administrators. But better to be safe than
+sorry.
+
 ## [1.5.0] - 2024-12-05
 
 ### Added

docs/development.md

@@ -305,7 +305,7 @@ It's important to keep the GraphQL Engine version updated to make sure that the
 connector is working with the latest engine version. To update run,
 
 ```sh
-$ nix flake lock --update-input graphql-engine-source
+$ nix flake update graphql-engine-source
 ```
 
 Then commit the changes to `flake.lock` to version control.
@@ -332,7 +332,7 @@ any order):
 To update `rust-overlay` run,
 
 ```sh
-$ nix flake lock --update-input rust-overlay
+$ nix flake update rust-overlay
 ```
 
 If you are using direnv to automatically apply the nix dev environment note that

flake.nix

@@ -46,7 +46,7 @@
     # If source changes aren't picked up automatically try:
     #
     # - committing changes to the local engine repo
-    # - running `nix flake lock --update-input graphql-engine-source` in this repo
+    # - running `nix flake update graphql-engine-source` in this repo
     # - arion up -d engine
     #
     graphql-engine-source = {