Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Speedreader: cargo audit fails #19330

Closed
rillian opened this issue Nov 9, 2021 · 1 comment · Fixed by brave/brave-core#10965
Closed

Speedreader: cargo audit fails #19330

rillian opened this issue Nov 9, 2021 · 1 comment · Fixed by brave/brave-core#10965
Assignees
@rillian
Labels
OS/Desktop QA Pass-Win64 QA/Yes release-notes/exclude
Milestone
1.34.x - Release

Comments

@rillian
Copy link

rillian commented Nov 9, 2021

Description

Running cargo audit currently reports a number of issues with dependencies of the speedreader implementation. None of them look critical, but we should still address them.

Steps to Reproduce

  1. cd src/brave/componets/speedreader/rust/lib
  2. cargo audit

Actual result:

error: 6 vulnerabilities found!
warning: 2 allowed warnings found

Expected result:

Report should be clean

Reproduces how often:

Always. Running cargo audit on src/brave/build/rust only shows the chrono/time issue.

Brave version (brave://version info)

Brave 1.33.69

Version/Channel Information:

  • Can you reproduce this issue with the current release?
  • Can you reproduce this issue with the beta channel?
  • Can you reproduce this issue with the nightly channel?

Miscellaneous Information:
@rillian rillian self-assigned this Nov 9, 2021
rillian added a commit to brave/brave-core that referenced this issue Nov 9, 2021
@rillian
speedreader: update rust dependencies.
497bb5c 
Move to newer crate versions to address `cargo audit` issues.

Addresses:

- crossbeam-deque 0.8.0 Data race
  https://rustsec.org/advisories/RUSTSEC-2021-0093
- crossbeam-epoch 0.9.3 yanked
- hyper 0.14.4 request smuggling
  https://rustsec.org/advisories/RUSTSEC-2021-0078
- hyper 0.14.4 `Transfer-Encoding` data loss
  https://rustsec.org/advisories/RUSTSEC-2021-0079
- tokio 1.4.0 Task dropped in wrong thread when aborting `LocalSet` task
  https://rustsec.org/advisories/RUSTSEC-2021-0072

Unfortunately chrono hasn't been updated to address RUSTSEC-2020-0159.

Resolves brave/brave-browser#19330
@rillian rillian mentioned this issue Nov 9, 2021
Merged
24 tasks
@rillian rillian added this to the 1.34.x - Nightly milestone Nov 10, 2021
@stephendonner
Copy link

Verified PASSED using

Brave 1.34.62 Chromium: 96.0.4664.110 (Official Build) dev (64-bit)
Revision d5ef0e8214bc14c9b5bbf69a1515e431394c62a6-refs/branch-heads/4664@{#1283}
OS Windows 10 Version 20H2 (Build 19042.1415)

Prerequisite:
via brave://flags, enabled Speedreader in 1.33.x

19330-speedreader-flag

Steps:

  1. fresh-installed Brave 1.34.x
  2. launched 1.34.x and current 1.33.x release against the following URLs, and compared timestamps.

The 24-to-12 hour change is covered in #19428 (comment).

mercurynews.com sfgate.com
19330-side-by-side2 19330-side-by-side

@rillian rillian mentioned this issue Jan 19, 2022
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rillian rillian

Labels
OS/Desktop QA Pass-Win64 QA/Yes release-notes/exclude
Projects
None yet
Milestone
1.34.x - Release
Development

Successfully merging a pull request may close this issue.

Update speedreader Rust dependencies brave/brave-core
2 participants
@rillian @stephendonner