Fix node vulnerablity for RUSTSEC-2024-0344

near · Jul 9, 2024 · d1ed21d · d1ed21d
1 parent eb4c4b4
commit d1ed21d
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 8 deletions.
diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml
@@ -83,4 +83,4 @@ jobs:
         if: always()
         working-directory: integration-tests/chain-signatures
         run: |
-          cargo audit --ignore RUSTSEC-2020-0071 --ignore RUSTSEC-2023-0052 --ignore RUSTSEC-2022-0093 --ignore RUSTSEC-2023-0071 --ignore RUSTSEC-2024-0019
+          cargo audit --ignore RUSTSEC-2020-0071 --ignore RUSTSEC-2023-0052 --ignore RUSTSEC-2022-0093 --ignore RUSTSEC-2023-0071 --ignore RUSTSEC-2024-0019 --ignore RUSTSEC-2024-0344 --ignore RUSTSEC-2022-0093
diff --git a/chain-signatures/Cargo.lock b/chain-signatures/Cargo.lock
diff --git a/chain-signatures/Cargo.toml b/chain-signatures/Cargo.toml
@@ -5,3 +5,9 @@ members = [
     "node",
 ]
 resolver = "2"
+
+[patch.crates-io]
+# TODO: trigger Cargo.lock update for x25519-dalek once they release.
+# This fixes https://rustsec.org/advisories/RUSTSEC-2024-0344 by pointing to a commit that includes the fix.
+# This fix has yet to be propagated to crates.io so we will patch it instead.
+x25519-dalek = { git = "https://github.com/dalek-cryptography/curve25519-dalek", rev = "5b7082bbc8e0b2106ab0d956064f61fa0f393cdc" }