Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
deps(client): update eventsource-client to fix CVE(s) (#1954)
This PR updates `eventsource-client` dependency of `fuel-core-client` from `0.10.2` to `0.12.2`. Rationale: there are multiple security advisories for `hyper-rustls`/`rustls` indirect dependencies ([RUSTSEC-2024-0336](https://rustsec.org/advisories/RUSTSEC-2024-0336), [RUSTSEC-2023-0052](https://rustsec.org/advisories/RUSTSEC-2023-0052), [CVE-2022-31394](GHSA-x477-xp89-wc9r)). Found out about these by running https://github.com/EmbarkStudios/cargo-deny on `fuels-rs`. No breaking changes. References: <details> <summary>Output of `cargo-deny`</summary> ``` error[vulnerability]: `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input ┌─ /Users/brightone/dev/github.com/FuelLabs/fuels-rs/Cargo.lock:298:1 │ 298 │ rustls 0.19.1 registry+https://github.com/rust-lang/crates.io-index │ ------------------------------------------------------------------- security vulnerability detected │ = ID: RUSTSEC-2024-0336 = Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0336 = If a `close_notify` alert is received during a handshake, `complete_io` does not terminate. Callers which do not call `complete_io` are not affected. `rustls-tokio` and `rustls-ffi` do not call `complete_io` and are not affected. `rustls::Stream` and `rustls::StreamOwned` types use `complete_io` and are affected. = Announcement: GHSA-6g7w-8wpp-frhj = Solution: Upgrade to >=0.23.5 OR >=0.22.4, <0.23.0 OR >=0.21.11, <0.22.0 (try `cargo update -p rustls`) = rustls v0.19.1 ├── hyper-rustls v0.22.1 │ └── eventsource-client v0.10.2 │ └── fuel-core-client v0.28.0 │ ├── fuels v0.63.1 │ │ ├── (dev) e2e v0.63.1 │ │ ├── (dev) fuels-example-codec v0.63.1 │ │ ├── (dev) fuels-example-contracts v0.63.1 │ │ ├── (dev) fuels-example-cookbook v0.63.1 │ │ ├── (dev) fuels-example-debugging v0.63.1 │ │ ├── (dev) fuels-example-macros v0.63.1 │ │ ├── (dev) fuels-example-predicates v0.63.1 │ │ ├── (dev) fuels-example-providers v0.63.1 │ │ ├── (dev) fuels-example-rust-bindings v0.63.1 │ │ ├── (dev) fuels-example-types v0.63.1 │ │ ├── (dev) fuels-example-wallets v0.63.1 │ │ └── (dev) wasm-tests v0.63.1 │ ├── fuels-accounts v0.63.1 │ │ ├── (build) e2e v0.63.1 (*) │ │ ├── fuel-core-version v0.63.1 │ │ ├── fuels v0.63.1 (*) │ │ ├── fuels-programs v0.63.1 │ │ │ └── fuels v0.63.1 (*) │ │ └── fuels-test-helpers v0.63.1 │ │ └── fuels v0.63.1 (*) │ ├── fuels-core v0.63.1 │ │ ├── fuels v0.63.1 (*) │ │ ├── fuels-accounts v0.63.1 (*) │ │ ├── fuels-programs v0.63.1 (*) │ │ ├── fuels-test-helpers v0.63.1 (*) │ │ └── (dev) wasm-tests v0.63.1 (*) │ └── fuels-test-helpers v0.63.1 (*) ├── rustls-native-certs v0.5.0 │ └── hyper-rustls v0.22.1 (*) └── tokio-rustls v0.22.0 └── hyper-rustls v0.22.1 (*) error[vulnerability]: webpki: CPU denial of service in certificate path building ┌─ /Users/brightone/dev/github.com/FuelLabs/fuels-rs/Cargo.lock:426:1 │ 426 │ webpki 0.21.4 registry+https://github.com/rust-lang/crates.io-index │ ------------------------------------------------------------------- security vulnerability detected │ = ID: RUSTSEC-2023-0052 = Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0052 = When this crate is given a pathological certificate chain to validate, it will spend CPU time exponential with the number of candidate certificates at each step of path building. Both TLS clients and TLS servers that accept client certificate are affected. This was previously reported in <briansmith/webpki#69> and re-reported recently by Luke Malinowski. webpki 0.22.1 included a partial fix and webpki 0.22.2 added further fixes. = Solution: Upgrade to >=0.22.2 (try `cargo update -p webpki`) = webpki v0.21.4 ├── hyper-rustls v0.22.1 │ └── eventsource-client v0.10.2 │ └── fuel-core-client v0.28.0 │ ├── fuels v0.63.1 │ │ ├── (dev) e2e v0.63.1 │ │ ├── (dev) fuels-example-codec v0.63.1 │ │ ├── (dev) fuels-example-contracts v0.63.1 │ │ ├── (dev) fuels-example-cookbook v0.63.1 │ │ ├── (dev) fuels-example-debugging v0.63.1 │ │ ├── (dev) fuels-example-macros v0.63.1 │ │ ├── (dev) fuels-example-predicates v0.63.1 │ │ ├── (dev) fuels-example-providers v0.63.1 │ │ ├── (dev) fuels-example-rust-bindings v0.63.1 │ │ ├── (dev) fuels-example-types v0.63.1 │ │ ├── (dev) fuels-example-wallets v0.63.1 │ │ └── (dev) wasm-tests v0.63.1 │ ├── fuels-accounts v0.63.1 │ │ ├── (build) e2e v0.63.1 (*) │ │ ├── fuel-core-version v0.63.1 │ │ ├── fuels v0.63.1 (*) │ │ ├── fuels-programs v0.63.1 │ │ │ └── fuels v0.63.1 (*) │ │ └── fuels-test-helpers v0.63.1 │ │ └── fuels v0.63.1 (*) │ ├── fuels-core v0.63.1 │ │ ├── fuels v0.63.1 (*) │ │ ├── fuels-accounts v0.63.1 (*) │ │ ├── fuels-programs v0.63.1 (*) │ │ ├── fuels-test-helpers v0.63.1 (*) │ │ └── (dev) wasm-tests v0.63.1 (*) │ └── fuels-test-helpers v0.63.1 (*) ├── rustls v0.19.1 │ ├── hyper-rustls v0.22.1 (*) │ ├── rustls-native-certs v0.5.0 │ │ └── hyper-rustls v0.22.1 (*) │ └── tokio-rustls v0.22.0 │ └── hyper-rustls v0.22.1 (*) └── tokio-rustls v0.22.0 (*) advisories FAILED: 2 errors, 0 warnings, 0 notes ``` </details> - [release notes](https://github.com/launchdarkly/rust-eventsource-client/releases/tag/0.12.2) for `eventsource-client v0.12.2` ## Checklist - [ ] Breaking changes are clearly marked as such in the PR description and changelog - [ ] New behavior is reflected in tests - [ ] [The specification](https://github.com/FuelLabs/fuel-specs/) matches the implemented behavior (link update PR if changes are needed) ### Before requesting review - [ ] I have reviewed the code myself - [ ] I have created follow-up issues caused by this PR and linked them here Co-authored-by: Green Baneling <XgreenX9999@gmail.com>
- Loading branch information
