Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New cargo audit failures on CI (RUSTSEC-2023-0052 & RUSTSEC-2023-0053) #4651

Closed
jimmygchen opened this issue Aug 22, 2023 · 2 comments
Closed

Comments

@jimmygchen
Copy link
Member

Description

Failing cargo audit CI job
https://github.com/sigp/lighthouse/actions/runs/5943983318/job/16120312336

https://rustsec.org/advisories/RUSTSEC-2023-0052
https://rustsec.org/advisories/RUSTSEC-2023-0053

@jimmygchen
Copy link
Member Author

libp2p tracking issue: libp2p/rust-libp2p#4375

bors bot pushed a commit that referenced this issue Aug 24, 2023
## Issue Addressed

Temporary ignore for #4651. We are unaffected, and upstream will be patched in a few days.

## Proposed Changes

- Ignore cargo audit failures (ublocks CI)
- Use `--locked` when building with `cross`. We use `--locked` for regular builds, and I think excluding it from `cross` was just an oversight.

I think for consistent builds it makes sense to use `--locked` while building. This is particularly relevant for release binaries, which otherwise will just use a random selection of dependencies that exist on build day (near impossible to recreate if we had to).
bors bot pushed a commit that referenced this issue Aug 24, 2023
## Issue Addressed

Temporary ignore for #4651. We are unaffected, and upstream will be patched in a few days.

## Proposed Changes

- Ignore cargo audit failures (ublocks CI)
- Use `--locked` when building with `cross`. We use `--locked` for regular builds, and I think excluding it from `cross` was just an oversight.

I think for consistent builds it makes sense to use `--locked` while building. This is particularly relevant for release binaries, which otherwise will just use a random selection of dependencies that exist on build day (near impossible to recreate if we had to).
bors bot pushed a commit that referenced this issue Sep 22, 2023
## Issue Addressed

Synchronize dependencies and edition on the workspace `Cargo.toml`

## Proposed Changes

with rust-lang/cargo#8415 merged it's now possible to synchronize details on the workspace `Cargo.toml` like the metadata and dependencies.
By only having dependencies that are shared between multiple crates aligned on the workspace `Cargo.toml` it's easier to not miss duplicate versions of the same dependency and therefore ease on the compile times.

## Additional Info
this PR also removes the no longer required direct dependency of the `serde_derive` crate.

should be reviewed after #4639 get's merged.
closes #4651


Co-authored-by: Michael Sproul <[email protected]>
Co-authored-by: Michael Sproul <[email protected]>
bors bot pushed a commit that referenced this issue Sep 22, 2023
## Issue Addressed

Synchronize dependencies and edition on the workspace `Cargo.toml`

## Proposed Changes

with rust-lang/cargo#8415 merged it's now possible to synchronize details on the workspace `Cargo.toml` like the metadata and dependencies.
By only having dependencies that are shared between multiple crates aligned on the workspace `Cargo.toml` it's easier to not miss duplicate versions of the same dependency and therefore ease on the compile times.

## Additional Info
this PR also removes the no longer required direct dependency of the `serde_derive` crate.

should be reviewed after #4639 get's merged.
closes #4651


Co-authored-by: Michael Sproul <[email protected]>
Co-authored-by: Michael Sproul <[email protected]>
bors bot pushed a commit that referenced this issue Sep 22, 2023
## Issue Addressed

Synchronize dependencies and edition on the workspace `Cargo.toml`

## Proposed Changes

with rust-lang/cargo#8415 merged it's now possible to synchronize details on the workspace `Cargo.toml` like the metadata and dependencies.
By only having dependencies that are shared between multiple crates aligned on the workspace `Cargo.toml` it's easier to not miss duplicate versions of the same dependency and therefore ease on the compile times.

## Additional Info
this PR also removes the no longer required direct dependency of the `serde_derive` crate.

should be reviewed after #4639 get's merged.
closes #4651


Co-authored-by: Michael Sproul <[email protected]>
Co-authored-by: Michael Sproul <[email protected]>
bors bot pushed a commit that referenced this issue Sep 22, 2023
## Issue Addressed

Synchronize dependencies and edition on the workspace `Cargo.toml`

## Proposed Changes

with rust-lang/cargo#8415 merged it's now possible to synchronize details on the workspace `Cargo.toml` like the metadata and dependencies.
By only having dependencies that are shared between multiple crates aligned on the workspace `Cargo.toml` it's easier to not miss duplicate versions of the same dependency and therefore ease on the compile times.

## Additional Info
this PR also removes the no longer required direct dependency of the `serde_derive` crate.

should be reviewed after #4639 get's merged.
closes #4651


Co-authored-by: Michael Sproul <[email protected]>
Co-authored-by: Michael Sproul <[email protected]>
bors bot pushed a commit that referenced this issue Sep 22, 2023
## Issue Addressed

Synchronize dependencies and edition on the workspace `Cargo.toml`

## Proposed Changes

with rust-lang/cargo#8415 merged it's now possible to synchronize details on the workspace `Cargo.toml` like the metadata and dependencies.
By only having dependencies that are shared between multiple crates aligned on the workspace `Cargo.toml` it's easier to not miss duplicate versions of the same dependency and therefore ease on the compile times.

## Additional Info
this PR also removes the no longer required direct dependency of the `serde_derive` crate.

should be reviewed after #4639 get's merged.
closes #4651


Co-authored-by: Michael Sproul <[email protected]>
Co-authored-by: Michael Sproul <[email protected]>
@jimmygchen
Copy link
Member Author

Completed in #4650 🎉

Woodpile37 pushed a commit to Woodpile37/lighthouse that referenced this issue Jan 6, 2024
## Issue Addressed

Synchronize dependencies and edition on the workspace `Cargo.toml`

## Proposed Changes

with rust-lang/cargo#8415 merged it's now possible to synchronize details on the workspace `Cargo.toml` like the metadata and dependencies.
By only having dependencies that are shared between multiple crates aligned on the workspace `Cargo.toml` it's easier to not miss duplicate versions of the same dependency and therefore ease on the compile times.

## Additional Info
this PR also removes the no longer required direct dependency of the `serde_derive` crate.

should be reviewed after sigp#4639 get's merged.
closes sigp#4651


Co-authored-by: Michael Sproul <[email protected]>
Co-authored-by: Michael Sproul <[email protected]>
Woodpile37 pushed a commit to Woodpile37/lighthouse that referenced this issue Jan 6, 2024
## Issue Addressed

Temporary ignore for sigp#4651. We are unaffected, and upstream will be patched in a few days.

## Proposed Changes

- Ignore cargo audit failures (ublocks CI)
- Use `--locked` when building with `cross`. We use `--locked` for regular builds, and I think excluding it from `cross` was just an oversight.

I think for consistent builds it makes sense to use `--locked` while building. This is particularly relevant for release binaries, which otherwise will just use a random selection of dependencies that exist on build day (near impossible to recreate if we had to).
Woodpile37 pushed a commit to Woodpile37/lighthouse that referenced this issue Jan 6, 2024
Synchronize dependencies and edition on the workspace `Cargo.toml`

with rust-lang/cargo#8415 merged it's now possible to synchronize details on the workspace `Cargo.toml` like the metadata and dependencies.
By only having dependencies that are shared between multiple crates aligned on the workspace `Cargo.toml` it's easier to not miss duplicate versions of the same dependency and therefore ease on the compile times.

this PR also removes the no longer required direct dependency of the `serde_derive` crate.

should be reviewed after sigp#4639 get's merged.
closes sigp#4651

Co-authored-by: Michael Sproul <[email protected]>
Co-authored-by: Michael Sproul <[email protected]>
Woodpile37 pushed a commit to Woodpile37/lighthouse that referenced this issue Jan 6, 2024
## Issue Addressed

Temporary ignore for sigp#4651. We are unaffected, and upstream will be patched in a few days.

## Proposed Changes

- Ignore cargo audit failures (ublocks CI)
- Use `--locked` when building with `cross`. We use `--locked` for regular builds, and I think excluding it from `cross` was just an oversight.

I think for consistent builds it makes sense to use `--locked` while building. This is particularly relevant for release binaries, which otherwise will just use a random selection of dependencies that exist on build day (near impossible to recreate if we had to).
Woodpile37 pushed a commit to Woodpile37/lighthouse that referenced this issue Jan 6, 2024
Synchronize dependencies and edition on the workspace `Cargo.toml`

with rust-lang/cargo#8415 merged it's now possible to synchronize details on the workspace `Cargo.toml` like the metadata and dependencies.
By only having dependencies that are shared between multiple crates aligned on the workspace `Cargo.toml` it's easier to not miss duplicate versions of the same dependency and therefore ease on the compile times.

this PR also removes the no longer required direct dependency of the `serde_derive` crate.

should be reviewed after sigp#4639 get's merged.
closes sigp#4651

Co-authored-by: Michael Sproul <[email protected]>
Co-authored-by: Michael Sproul <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant