[rust] dependency upgrades to fix cargo audit warnings #19203
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Blocked until #19208 goes in. |
|
Hi Gary, thanks for working on this! Out of curiosity, how have you been running cargo audit? |
dmcardle
approved these changes
Jul 14, 2023
| index 65c42bb..ee50f55 100644 | ||
| index bec8f86...0000000 100644 |
There was a problem hiding this comment.
FYI @lschuermann, now I remember you mentioned that this patch didn't apply cleanly. Thanks @nbdd0121 for updating it!
I just cd into |
nbdd0121
force-pushed
the
dep
branch
2 times, most recently
from
831c871 to
0140c37
Compare
The output file is slightly different, likely due to the Bazel version upgrade. Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
The current nix version has security advisory RUSTSEC-2021-0119. Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
The current version is yanked. Updating the version makes the patch not applicable, so the patch is updated and rebased. Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
nbdd0121
force-pushed
the
dep
branch
2 times, most recently
from
661a1ae to
baa7099
Compare
|
The previous CI failure is caused by serde-derive starting to use precompiled binary but the file is not considered as data file in Rust rules so Bazel excludes them from sandbox. As a short-term solution I pinned Bazel to 1.0.171 which is the last version without precompiled binary, |
cfrantz
approved these changes
Aug 3, 2023
third_party/rust/Cargo.toml
Outdated
Comment on lines
58
to
60
| # serde-derive 1.0.172 uses precompiled binary which does not work well with Bazel. | ||
| serde = { version="=1.0.171", features = ["derive"] } |
There was a problem hiding this comment.
Can you create an issue in lowRISC/opentitan for this and leave a TODO comment here:
# TODO(opentitan#xxxxx): serde-derive 1.0.172 uses ...
lschuermann
pushed a commit
to lschuermann/opentitan
that referenced
this pull request
Aug 3, 2023
Blocked on lowRISC#19203
`atty` is unmaintained. Switch to `is-terminal` crate, which is already one of our transitive dependency, and has the same API as the Rust std 1.70 `IsTerminal` trait. There are a few places that we are using `nix` to do `isatty`, and these are migrated as well. Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
serde 1.0.172+ tries to use precompiled binary for proc macro but Bazel's Rust rules do not include them as data files so build breaks. This also removes the explicit serde_derive dependency which is not needed because we don't access serde_derive crate directly. Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
The update addresses the following cargo-audit warnings: * `hermit-abi`, which is a transitive dependency of a few crates, is updated to an unyanked version. * `h2`, which is a transitive dependency of mdbook, is updated to an unyanked version. Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
This adds `.cargo/audit.toml` which suppresses two crates that are flagged by `cargo audit` but does not affect us: * `time`, dependency of `chrono`, affected API is not used * `mach`, dependency of `serialport`, only affects MacOS Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
HU90m
approved these changes
Aug 7, 2023
cfrantz
pushed a commit
to cfrantz/opentitan
that referenced
this pull request
Aug 10, 2023
Blocked on lowRISC#19203
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix (almostly) #18970
nixto 0.26serialportto 4.2.1attytois-terminalcargo updaterest of dependenciesThis addresses half of our cargo-audit warnings. The rest are:
time, the affected version is still a dependency of chrono which mdbook uses, but the affected API is not used.mach, dependency ofserialportbut is only used on MacOSansi_term, dependency of serde-annotateSince
timeandmachdoes not affect us, I suppressed their warnings by adding relevant security advisory toaudit.tomlignore section.This lefts us with just
ansi_term.