Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SYS-3868 Update vulnerable cargo.lock dependencies #348

Merged
merged 9 commits into from
Feb 5, 2024
Merged

SYS-3868 Update vulnerable cargo.lock dependencies #348

merged 9 commits into from
Feb 5, 2024

Conversation

nahuseyoum
Copy link
Contributor

@nahuseyoum nahuseyoum commented Feb 2, 2024
edited
Loading

Proposed changes

This PR updates vulnerable dependencies found by running cargo audit. There are 5 dependencies identified as vulnerable but unfortunately these require changes to the substrate library to update. Once the substrate upgrade is complete, we can revisit them.

Type of change/Merge

🚨What type of change is this PR?

Put an x in the boxes that apply

  • Release
    • Increase versions
    • Baseline tests passed
    • Release type:
      • Major release
      • Minor release
      • Patch release

Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR.

  • You describe the purpose of the PR, e.g.:
    • What does it do?
    • Highlight what important points reviewers should know about;
    • Indicates if there is something left for follow-up PRs.
  • Documentation updated
  • Business logic tested successfully
  • Verify First, Write Last: In Substrate development, it is important that you always ensure preconditions are met and return errors at the beginning. After these checks have completed, then you may begin the function's computation.

Further comments

Base automatically changed from nahu-sys3866-bench2 to main February 2, 2024 12:11
@thadouk
Copy link
Contributor

thadouk commented Feb 2, 2024

This PR updates vulnerable dependencies found by running cargo audit. There are 5 dependencies identified as vulnerable but unfortunately these require changes to the substrate library to update. Once the substrate upgrade is complete, we can revisit them.

Can you list the packages that were identified?
For example hashbrowns that is updated, the version that was used before was 0.14.3 which is newer than 0.12.3 used now

@nahuseyoum
Copy link
Contributor Author

This PR updates vulnerable dependencies found by running cargo audit. There are 5 dependencies identified as vulnerable but unfortunately these require changes to the substrate library to update. Once the substrate upgrade is complete, we can revisit them.

Can you list the packages that were identified? For example hashbrowns that is updated, the version that was used before was 0.14.3 which is newer than 0.12.3 used now

@thadouk the list is in the Jira ticket and the fix updates related libraries of the ones that we patched to a common "good" version.

@nahuseyoum nahuseyoum merged commit 6b9595d into main Feb 5, 2024
5 checks passed
@nahuseyoum nahuseyoum deleted the nahu-sys3868-cargolock branch February 5, 2024 14:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexpArtos alexpArtos alexpArtos approved these changes

@fluorostani fluorostani fluorostani approved these changes

@thadouk thadouk Awaiting requested review from thadouk thadouk is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@nahuseyoum @thadouk @fluorostani @alexpArtos @aventus-ci-agent