Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feat patch idna security issue #22

Merged
merged 3 commits into from
Dec 21, 2024
Merged

Conversation

husni-zuhdi
Copy link
Owner

The dependabot issue: idna accepts Punycode labels that do not produce any non-ASCII when decoded

idnaused by url that is used by octocrab and sqlite.
To mitigate this issue, I tried manually updating the idea version to 1.0.0 by using the cargo add [email protected] command from the local development device. This doesn't work, of course. The second try is to update all crates with cargo update, but I make sure the idea was updated by running the dry run version cargo update—-dry-run.

After confirming the idna will be bumped to 1.0.3 I ran the update crates command and tested the new update. Turns out there is an error in the core Error crate that is tracked in here. The fix was introduced to rust toolchain 1.81.0. So I upgrade Rust version, dockerfile, and github action workflows to follow the requirements. I don't think it counts as a major update in semver as we didn't introduce breaking changes (will update this PR later).

@husni-zuhdi
Copy link
Owner Author

Rust unit test passed. I think we can go to merge this PR 👍

@husni-zuhdi husni-zuhdi merged commit 7b6b535 into main Dec 21, 2024
2 checks passed
@husni-zuhdi husni-zuhdi deleted the feat-patch-idna-security-issue branch December 21, 2024 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant