-
Notifications
You must be signed in to change notification settings - Fork 764
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New cargo audit failures on CI (RUSTSEC-2023-0052 & RUSTSEC-2023-0053) #4651
Comments
libp2p tracking issue: libp2p/rust-libp2p#4375 |
bors bot
pushed a commit
that referenced
this issue
Aug 24, 2023
## Issue Addressed Temporary ignore for #4651. We are unaffected, and upstream will be patched in a few days. ## Proposed Changes - Ignore cargo audit failures (ublocks CI) - Use `--locked` when building with `cross`. We use `--locked` for regular builds, and I think excluding it from `cross` was just an oversight. I think for consistent builds it makes sense to use `--locked` while building. This is particularly relevant for release binaries, which otherwise will just use a random selection of dependencies that exist on build day (near impossible to recreate if we had to).
bors bot
pushed a commit
that referenced
this issue
Aug 24, 2023
## Issue Addressed Temporary ignore for #4651. We are unaffected, and upstream will be patched in a few days. ## Proposed Changes - Ignore cargo audit failures (ublocks CI) - Use `--locked` when building with `cross`. We use `--locked` for regular builds, and I think excluding it from `cross` was just an oversight. I think for consistent builds it makes sense to use `--locked` while building. This is particularly relevant for release binaries, which otherwise will just use a random selection of dependencies that exist on build day (near impossible to recreate if we had to).
bors bot
pushed a commit
that referenced
this issue
Sep 22, 2023
## Issue Addressed Synchronize dependencies and edition on the workspace `Cargo.toml` ## Proposed Changes with rust-lang/cargo#8415 merged it's now possible to synchronize details on the workspace `Cargo.toml` like the metadata and dependencies. By only having dependencies that are shared between multiple crates aligned on the workspace `Cargo.toml` it's easier to not miss duplicate versions of the same dependency and therefore ease on the compile times. ## Additional Info this PR also removes the no longer required direct dependency of the `serde_derive` crate. should be reviewed after #4639 get's merged. closes #4651 Co-authored-by: Michael Sproul <[email protected]> Co-authored-by: Michael Sproul <[email protected]>
bors bot
pushed a commit
that referenced
this issue
Sep 22, 2023
## Issue Addressed Synchronize dependencies and edition on the workspace `Cargo.toml` ## Proposed Changes with rust-lang/cargo#8415 merged it's now possible to synchronize details on the workspace `Cargo.toml` like the metadata and dependencies. By only having dependencies that are shared between multiple crates aligned on the workspace `Cargo.toml` it's easier to not miss duplicate versions of the same dependency and therefore ease on the compile times. ## Additional Info this PR also removes the no longer required direct dependency of the `serde_derive` crate. should be reviewed after #4639 get's merged. closes #4651 Co-authored-by: Michael Sproul <[email protected]> Co-authored-by: Michael Sproul <[email protected]>
bors bot
pushed a commit
that referenced
this issue
Sep 22, 2023
## Issue Addressed Synchronize dependencies and edition on the workspace `Cargo.toml` ## Proposed Changes with rust-lang/cargo#8415 merged it's now possible to synchronize details on the workspace `Cargo.toml` like the metadata and dependencies. By only having dependencies that are shared between multiple crates aligned on the workspace `Cargo.toml` it's easier to not miss duplicate versions of the same dependency and therefore ease on the compile times. ## Additional Info this PR also removes the no longer required direct dependency of the `serde_derive` crate. should be reviewed after #4639 get's merged. closes #4651 Co-authored-by: Michael Sproul <[email protected]> Co-authored-by: Michael Sproul <[email protected]>
bors bot
pushed a commit
that referenced
this issue
Sep 22, 2023
## Issue Addressed Synchronize dependencies and edition on the workspace `Cargo.toml` ## Proposed Changes with rust-lang/cargo#8415 merged it's now possible to synchronize details on the workspace `Cargo.toml` like the metadata and dependencies. By only having dependencies that are shared between multiple crates aligned on the workspace `Cargo.toml` it's easier to not miss duplicate versions of the same dependency and therefore ease on the compile times. ## Additional Info this PR also removes the no longer required direct dependency of the `serde_derive` crate. should be reviewed after #4639 get's merged. closes #4651 Co-authored-by: Michael Sproul <[email protected]> Co-authored-by: Michael Sproul <[email protected]>
bors bot
pushed a commit
that referenced
this issue
Sep 22, 2023
## Issue Addressed Synchronize dependencies and edition on the workspace `Cargo.toml` ## Proposed Changes with rust-lang/cargo#8415 merged it's now possible to synchronize details on the workspace `Cargo.toml` like the metadata and dependencies. By only having dependencies that are shared between multiple crates aligned on the workspace `Cargo.toml` it's easier to not miss duplicate versions of the same dependency and therefore ease on the compile times. ## Additional Info this PR also removes the no longer required direct dependency of the `serde_derive` crate. should be reviewed after #4639 get's merged. closes #4651 Co-authored-by: Michael Sproul <[email protected]> Co-authored-by: Michael Sproul <[email protected]>
Completed in #4650 🎉 |
Woodpile37
pushed a commit
to Woodpile37/lighthouse
that referenced
this issue
Jan 6, 2024
## Issue Addressed Synchronize dependencies and edition on the workspace `Cargo.toml` ## Proposed Changes with rust-lang/cargo#8415 merged it's now possible to synchronize details on the workspace `Cargo.toml` like the metadata and dependencies. By only having dependencies that are shared between multiple crates aligned on the workspace `Cargo.toml` it's easier to not miss duplicate versions of the same dependency and therefore ease on the compile times. ## Additional Info this PR also removes the no longer required direct dependency of the `serde_derive` crate. should be reviewed after sigp#4639 get's merged. closes sigp#4651 Co-authored-by: Michael Sproul <[email protected]> Co-authored-by: Michael Sproul <[email protected]>
Woodpile37
pushed a commit
to Woodpile37/lighthouse
that referenced
this issue
Jan 6, 2024
## Issue Addressed Temporary ignore for sigp#4651. We are unaffected, and upstream will be patched in a few days. ## Proposed Changes - Ignore cargo audit failures (ublocks CI) - Use `--locked` when building with `cross`. We use `--locked` for regular builds, and I think excluding it from `cross` was just an oversight. I think for consistent builds it makes sense to use `--locked` while building. This is particularly relevant for release binaries, which otherwise will just use a random selection of dependencies that exist on build day (near impossible to recreate if we had to).
Woodpile37
pushed a commit
to Woodpile37/lighthouse
that referenced
this issue
Jan 6, 2024
Synchronize dependencies and edition on the workspace `Cargo.toml` with rust-lang/cargo#8415 merged it's now possible to synchronize details on the workspace `Cargo.toml` like the metadata and dependencies. By only having dependencies that are shared between multiple crates aligned on the workspace `Cargo.toml` it's easier to not miss duplicate versions of the same dependency and therefore ease on the compile times. this PR also removes the no longer required direct dependency of the `serde_derive` crate. should be reviewed after sigp#4639 get's merged. closes sigp#4651 Co-authored-by: Michael Sproul <[email protected]> Co-authored-by: Michael Sproul <[email protected]>
Woodpile37
pushed a commit
to Woodpile37/lighthouse
that referenced
this issue
Jan 6, 2024
## Issue Addressed Temporary ignore for sigp#4651. We are unaffected, and upstream will be patched in a few days. ## Proposed Changes - Ignore cargo audit failures (ublocks CI) - Use `--locked` when building with `cross`. We use `--locked` for regular builds, and I think excluding it from `cross` was just an oversight. I think for consistent builds it makes sense to use `--locked` while building. This is particularly relevant for release binaries, which otherwise will just use a random selection of dependencies that exist on build day (near impossible to recreate if we had to).
Woodpile37
pushed a commit
to Woodpile37/lighthouse
that referenced
this issue
Jan 6, 2024
Synchronize dependencies and edition on the workspace `Cargo.toml` with rust-lang/cargo#8415 merged it's now possible to synchronize details on the workspace `Cargo.toml` like the metadata and dependencies. By only having dependencies that are shared between multiple crates aligned on the workspace `Cargo.toml` it's easier to not miss duplicate versions of the same dependency and therefore ease on the compile times. this PR also removes the no longer required direct dependency of the `serde_derive` crate. should be reviewed after sigp#4639 get's merged. closes sigp#4651 Co-authored-by: Michael Sproul <[email protected]> Co-authored-by: Michael Sproul <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Failing cargo audit CI job
https://github.com/sigp/lighthouse/actions/runs/5943983318/job/16120312336
https://rustsec.org/advisories/RUSTSEC-2023-0052
https://rustsec.org/advisories/RUSTSEC-2023-0053
The text was updated successfully, but these errors were encountered: