Bump deps to let vulnerable transitive deps go #3

mumoshu · 2023-07-21T08:57:30Z

I've bumped grpcio, protobuf-build, and prost to let vulnerable versions of prost-types and openssl go.
I've chosen these versions of grpcio and protobuf-build because they depend on the same version of prost, which should be good for compatibility.

I'll publish 0.1.0-surreal.2 which follows our current 0.1.0-surreal.1 once this gets merged.

BEFORE

$ cargo audit 
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 554 security advisories (from /home/mumoshu/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (245 crate dependencies)
Crate:     openssl
Version:   0.10.52
Title:     `openssl` `X509VerifyParamRef::set_host` buffer over-read
Date:      2023-06-20
ID:        RUSTSEC-2023-0044
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0044
Solution:  Upgrade to >=0.10.55
Dependency tree:
openssl 0.10.52
└── native-tls 0.2.11
    ├── tokio-native-tls 0.3.1
    │   ├── reqwest 0.11.16
    │   │   ├── surrealdb-tikv-client 0.1.0-surreal.1
    │   │   └── prometheus 0.12.0
    │   │       └── surrealdb-tikv-client 0.1.0-surreal.1
    │   └── hyper-tls 0.5.0
    │       └── reqwest 0.11.16
    ├── reqwest 0.11.16
    └── hyper-tls 0.5.0

Crate:     prost-types
Version:   0.7.0
Title:     Conversion from `prost_types::Timestamp` to `SystemTime` can cause an overflow and panic
Date:      2021-07-08
ID:        RUSTSEC-2021-0073
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0073
Solution:  Upgrade to >=0.8.0
Dependency tree:
prost-types 0.7.0
└── prost-build 0.7.0
    └── protobuf-build 0.12.3
        └── surrealdb-tikv-client-proto 0.1.0-surreal.1
            ├── surrealdb-tikv-client-store 0.1.0-surreal.1
            │   └── surrealdb-tikv-client 0.1.0-surreal.1
            ├── surrealdb-tikv-client-pd 0.1.0-surreal.1
            │   └── surrealdb-tikv-client 0.1.0-surreal.1
            ├── surrealdb-tikv-client-common 0.1.0-surreal.1
            │   ├── surrealdb-tikv-client-store 0.1.0-surreal.1
            │   ├── surrealdb-tikv-client-pd 0.1.0-surreal.1
            │   └── surrealdb-tikv-client 0.1.0-surreal.1
            ├── surrealdb-tikv-client 0.1.0-surreal.1
            └── surrealdb-mock-tikv 0.0.0
                └── surrealdb-tikv-client 0.1.0-surreal.1

Crate:     ansi_term
Version:   0.12.1
Warning:   unmaintained
Title:     ansi_term is Unmaintained
Date:      2021-08-18
ID:        RUSTSEC-2021-0139
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree:
ansi_term 0.12.1
└── clap 2.34.0
    ├── surrealdb-tikv-client-pd 0.1.0-surreal.1
    │   └── surrealdb-tikv-client 0.1.0-surreal.1
    ├── surrealdb-tikv-client-common 0.1.0-surreal.1
    │   ├── surrealdb-tikv-client-store 0.1.0-surreal.1
    │   │   └── surrealdb-tikv-client 0.1.0-surreal.1
    │   ├── surrealdb-tikv-client-pd 0.1.0-surreal.1
    │   └── surrealdb-tikv-client 0.1.0-surreal.1
    └── surrealdb-tikv-client 0.1.0-surreal.1

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
├── simple_logger 1.16.0
│   └── surrealdb-tikv-client 0.1.0-surreal.1
├── colored 1.9.3
│   └── simple_logger 1.16.0
└── clap 2.34.0
    ├── surrealdb-tikv-client-pd 0.1.0-surreal.1
    │   └── surrealdb-tikv-client 0.1.0-surreal.1
    ├── surrealdb-tikv-client-common 0.1.0-surreal.1
    │   ├── surrealdb-tikv-client-store 0.1.0-surreal.1
    │   │   └── surrealdb-tikv-client 0.1.0-surreal.1
    │   ├── surrealdb-tikv-client-pd 0.1.0-surreal.1
    │   └── surrealdb-tikv-client 0.1.0-surreal.1
    └── surrealdb-tikv-client 0.1.0-surreal.1

Crate:     bumpalo
Version:   3.12.1
Warning:   yanked
Dependency tree:
bumpalo 3.12.1
└── wasm-bindgen-backend 0.2.84
    └── wasm-bindgen-macro-support 0.2.84
        └── wasm-bindgen-macro 0.2.84
            └── wasm-bindgen 0.2.84
                ├── web-sys 0.3.61
                │   ├── wasm-bindgen-futures 0.4.34
                │   │   └── reqwest 0.11.16
                │   │       ├── surrealdb-tikv-client 0.1.0-surreal.1
                │   │       └── prometheus 0.12.0
                │   │           └── surrealdb-tikv-client 0.1.0-surreal.1
                │   └── reqwest 0.11.16
                ├── wasm-bindgen-futures 0.4.34
                ├── reqwest 0.11.16
                └── js-sys 0.3.61
                    ├── web-sys 0.3.61
                    ├── wasm-bindgen-futures 0.4.34
                    └── reqwest 0.11.16

Crate:     hermit-abi
Version:   0.3.1
Warning:   yanked
Dependency tree:
hermit-abi 0.3.1
└── io-lifetimes 1.0.10
    └── rustix 0.37.14
        └── tempfile 3.5.0
            ├── surrealdb-tikv-client-common 0.1.0-surreal.1
            │   ├── surrealdb-tikv-client-store 0.1.0-surreal.1
            │   │   └── surrealdb-tikv-client 0.1.0-surreal.1
            │   ├── surrealdb-tikv-client-pd 0.1.0-surreal.1
            │   │   └── surrealdb-tikv-client 0.1.0-surreal.1
            │   └── surrealdb-tikv-client 0.1.0-surreal.1
            ├── rusty-fork 0.3.0
            │   └── proptest 1.1.0
            │       ├── surrealdb-tikv-client-pd 0.1.0-surreal.1
            │       ├── surrealdb-tikv-client-common 0.1.0-surreal.1
            │       └── surrealdb-tikv-client 0.1.0-surreal.1
            ├── prost-build 0.11.9
            │   └── grpcio-compiler 0.12.1
            │       └── protobuf-build 0.12.3
            │           └── surrealdb-tikv-client-proto 0.1.0-surreal.1
            │               ├── surrealdb-tikv-client-store 0.1.0-surreal.1
            │               ├── surrealdb-tikv-client-pd 0.1.0-surreal.1
            │               ├── surrealdb-tikv-client-common 0.1.0-surreal.1
            │               ├── surrealdb-tikv-client 0.1.0-surreal.1
            │               └── surrealdb-mock-tikv 0.0.0
            │                   └── surrealdb-tikv-client 0.1.0-surreal.1
            ├── prost-build 0.7.0
            │   └── protobuf-build 0.12.3
            ├── proptest 1.1.0
            ├── native-tls 0.2.11
            │   ├── tokio-native-tls 0.3.1
            │   │   ├── reqwest 0.11.16
            │   │   │   ├── surrealdb-tikv-client 0.1.0-surreal.1
            │   │   │   └── prometheus 0.12.0
            │   │   │       └── surrealdb-tikv-client 0.1.0-surreal.1
            │   │   └── hyper-tls 0.5.0
            │   │       └── reqwest 0.11.16
            │   ├── reqwest 0.11.16
            │   └── hyper-tls 0.5.0
            └── grpcio-compiler 0.12.1

Crate:     rustix
Version:   0.37.14
Warning:   yanked
Dependency tree:
rustix 0.37.14
└── tempfile 3.5.0
    ├── surrealdb-tikv-client-common 0.1.0-surreal.1
    │   ├── surrealdb-tikv-client-store 0.1.0-surreal.1
    │   │   └── surrealdb-tikv-client 0.1.0-surreal.1
    │   ├── surrealdb-tikv-client-pd 0.1.0-surreal.1
    │   │   └── surrealdb-tikv-client 0.1.0-surreal.1
    │   └── surrealdb-tikv-client 0.1.0-surreal.1
    ├── rusty-fork 0.3.0
    │   └── proptest 1.1.0
    │       ├── surrealdb-tikv-client-pd 0.1.0-surreal.1
    │       ├── surrealdb-tikv-client-common 0.1.0-surreal.1
    │       └── surrealdb-tikv-client 0.1.0-surreal.1
    ├── prost-build 0.11.9
    │   └── grpcio-compiler 0.12.1
    │       └── protobuf-build 0.12.3
    │           └── surrealdb-tikv-client-proto 0.1.0-surreal.1
    │               ├── surrealdb-tikv-client-store 0.1.0-surreal.1
    │               ├── surrealdb-tikv-client-pd 0.1.0-surreal.1
    │               ├── surrealdb-tikv-client-common 0.1.0-surreal.1
    │               ├── surrealdb-tikv-client 0.1.0-surreal.1
    │               └── surrealdb-mock-tikv 0.0.0
    │                   └── surrealdb-tikv-client 0.1.0-surreal.1
    ├── prost-build 0.7.0
    │   └── protobuf-build 0.12.3
    ├── proptest 1.1.0
    ├── native-tls 0.2.11
    │   ├── tokio-native-tls 0.3.1
    │   │   ├── reqwest 0.11.16
    │   │   │   ├── surrealdb-tikv-client 0.1.0-surreal.1
    │   │   │   └── prometheus 0.12.0
    │   │   │       └── surrealdb-tikv-client 0.1.0-surreal.1
    │   │   └── hyper-tls 0.5.0
    │   │       └── reqwest 0.11.16
    │   ├── reqwest 0.11.16
    │   └── hyper-tls 0.5.0
    └── grpcio-compiler 0.12.1

error: 2 vulnerabilities found!
warning: 5 allowed warnings found

AFTER

$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 554 security advisories (from /home/mumoshu/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (235 crate dependencies)
Crate:     ansi_term
Version:   0.12.1
Warning:   unmaintained
Title:     ansi_term is Unmaintained
Date:      2021-08-18
ID:        RUSTSEC-2021-0139
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree:
ansi_term 0.12.1
└── clap 2.34.0
    ├── surrealdb-tikv-client-pd 0.1.0-surreal.2
    │   └── surrealdb-tikv-client 0.1.0-surreal.2
    ├── surrealdb-tikv-client-common 0.1.0-surreal.2
    │   ├── surrealdb-tikv-client-store 0.1.0-surreal.2
    │   │   └── surrealdb-tikv-client 0.1.0-surreal.2
    │   ├── surrealdb-tikv-client-pd 0.1.0-surreal.2
    │   └── surrealdb-tikv-client 0.1.0-surreal.2
    ├── surrealdb-tikv-client 0.1.0-surreal.2
    └── bindgen 0.59.2
        └── grpcio-sys 0.10.3+1.44.0-patched
            └── grpcio 0.10.4
                ├── surrealdb-tikv-client-store 0.1.0-surreal.2
                ├── surrealdb-tikv-client-proto 0.1.0-surreal.2
                │   ├── surrealdb-tikv-client-store 0.1.0-surreal.2
                │   ├── surrealdb-tikv-client-pd 0.1.0-surreal.2
                │   ├── surrealdb-tikv-client-common 0.1.0-surreal.2
                │   ├── surrealdb-tikv-client 0.1.0-surreal.2
                │   └── surrealdb-mock-tikv 0.0.0
                │       └── surrealdb-tikv-client 0.1.0-surreal.2
                ├── surrealdb-tikv-client-pd 0.1.0-surreal.2
                ├── surrealdb-tikv-client-common 0.1.0-surreal.2
                ├── surrealdb-tikv-client 0.1.0-surreal.2
                └── surrealdb-mock-tikv 0.0.0

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
├── simple_logger 1.16.0
│   └── surrealdb-tikv-client 0.1.0-surreal.2
├── env_logger 0.9.3
│   └── bindgen 0.59.2
│       └── grpcio-sys 0.10.3+1.44.0-patched
│           └── grpcio 0.10.4
│               ├── surrealdb-tikv-client-store 0.1.0-surreal.2
│               │   └── surrealdb-tikv-client 0.1.0-surreal.2
│               ├── surrealdb-tikv-client-proto 0.1.0-surreal.2
│               │   ├── surrealdb-tikv-client-store 0.1.0-surreal.2
│               │   ├── surrealdb-tikv-client-pd 0.1.0-surreal.2
│               │   │   └── surrealdb-tikv-client 0.1.0-surreal.2
│               │   ├── surrealdb-tikv-client-common 0.1.0-surreal.2
│               │   │   ├── surrealdb-tikv-client-store 0.1.0-surreal.2
│               │   │   ├── surrealdb-tikv-client-pd 0.1.0-surreal.2
│               │   │   └── surrealdb-tikv-client 0.1.0-surreal.2
│               │   ├── surrealdb-tikv-client 0.1.0-surreal.2
│               │   └── surrealdb-mock-tikv 0.0.0
│               │       └── surrealdb-tikv-client 0.1.0-surreal.2
│               ├── surrealdb-tikv-client-pd 0.1.0-surreal.2
│               ├── surrealdb-tikv-client-common 0.1.0-surreal.2
│               ├── surrealdb-tikv-client 0.1.0-surreal.2
│               └── surrealdb-mock-tikv 0.0.0
├── colored 1.9.3
│   └── simple_logger 1.16.0
└── clap 2.34.0
    ├── surrealdb-tikv-client-pd 0.1.0-surreal.2
    ├── surrealdb-tikv-client-common 0.1.0-surreal.2
    ├── surrealdb-tikv-client 0.1.0-surreal.2
    └── bindgen 0.59.2

warning: 2 allowed warnings found

Bump deps to let vulnerable transitive deps to disappear

9f1bfea

tobiemh approved these changes Jul 21, 2023

View reviewed changes

mumoshu merged commit 991f23d into surrealdb:0.1.0-surreal.x Jul 22, 2023

mumoshu deleted the bump-vuln-deps branch July 22, 2023 01:40

mumoshu mentioned this pull request Jul 23, 2023

Bump surrealdb-tikv-client to 0.1.0-surreal.2 surrealdb/surrealdb#2322

Merged

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump deps to let vulnerable transitive deps go #3

Bump deps to let vulnerable transitive deps go #3

mumoshu commented Jul 21, 2023

Bump deps to let vulnerable transitive deps go #3

Bump deps to let vulnerable transitive deps go #3

Conversation

mumoshu commented Jul 21, 2023