fix(deps): update rust crate warp to 0.3.0 [security]

[text-html-renovate]

This PR contains the following updates:

Package	Type	Update	Change
warp	dependencies	minor	0.2.2 -> 0.3.0

GitHub Vulnerability Alerts

GHSA-8v4j-7jgf-5rg9

Path resolution in warp::filters::fs::dir didn't correctly validate Windows paths meaning paths like /foo/bar/c:/windows/web/screen/img101.png would be allowed and respond with the contents of c:/windows/web/screen/img101.png. Thus users could potentially read files anywhere on the filesystem.

This only impacts Windows. Linux and other unix likes are not impacted by this.

---

Release Notes

seanmonstar/warp (warp)

v0.3.3

Compare Source

• Fixes:
  • Fix fs filters path sanitization to reject colons on Windows.

v0.3.2

Compare Source

• Features:
  • Add Filter::then(), which is like Filter::map() in that it's infallible, but is async like Filter::and_then().
  • Add redirect::found() reply helper that returns 302 Found.
  • Add compression-brotli and compression-gzip cargo features to enable only the compression you need.
  • Allow HEAD requests to be served to fs::dir() filters.
  • Allow path!() with no arguments.
• Fixes:
  • Update private dependencies Tungstenite and Multipart.
  • Replaces uses of futures with futures-util, which is a smaller dependency.

v0.3.1

Compare Source

• Features:
  • Add pong constructor to websocket messages.
  • Add redirect::see_other and redirect::permanent helpers.
• Fixes:
  • Fix fs filters sometimes having an off-by-one error with range requests.
  • Fix CORS to allow spaces when checking Access-Control-Request-Headers.

v0.3.0

Compare Source

• Features:
  • Add TLS client authentication support.
  • Add TLS OCSP stapling support.
  • Add From<Reject> for Rejection.
  • Add close_frame accessor to ws::Message.
• Changes:
  • Update to Tokio v1.
  • Update to Bytes v1.
  • Update to hyper v0.14.
  • Rework sse filter to be more like ws, with a single Event type and builder.
  • Change cookie filter to extract a generic FromStr value.

v0.2.5 (August 31, 2020)

• Features:
  • Add wrap_fn, which can be used to create a Wrap from a closure. These in turn are used with Filter::with().
  • Add warp::host filters to deal with Host/:authority headers.
  • Relax some lifetime bounds on Server.
• Fixes:
  • Fix panic when URI doesn't have a slash (for example, CONNECT foo.bar).

v0.2.4 (July 20, 2020)

• Features:
  • Add tracing internals in place of log (log is still emitted for backwards compatibility).
  • Add warp::trace module set of filters to customize tracing dianostics.
  • Add path method to warp::fs::File reply.
  • Add source implementation for BodyDeserializeError.
  • Make warp::ws::MissingConnectionUpgrade rejection public.

v0.2.3 (May 19, 2020)

• Features:
  • Add warp::compression filters, which will compress response bodies.
  • Add warp::header::value() filter to get a request HeaderValue.
  • Add request_headers method to warp::log::Info.
  • Add max_frame_size to warp::ws::Ws builder.
  • Add remote_addr to warp::test::RequestBuilder.
  • Add try_bind_with_graceful_shutdown to warp::Server builder.
  • Add serve_incoming_with_graceful_shutdown to warp::Server builder.
• Fixes:
  • Fix warp::addr::remote when used with Server::tls.
  • Fix panic in warp::path::{peek, tail, full} filters when the request URI is in authority-form or asterisk-form.

v0.2.2 (March 3, 2020)

• Features:
  • Implement Reply for all Box<T> where T: Reply.
  • Add name methods to MissingHeader, InvalidHeader, and MissingCookie rejections.
  • Add warp::ext::optional() filter that optionally retrieves an extension from the request.
• Fixes:
  • Fix the sending of pings when a user sends a ws::Message::ping().

v0.2.1 (January 23, 2020)

• Features:
  • Add close and close_with constructors to warp::ws::Message.
• Fixes:
  • Fix warp::fs filters using a very small read buffer.

v0.2.5

Compare Source

• Features:
  • Add wrap_fn, which can be used to create a Wrap from a closure. These in turn are used with Filter::with().
  • Add warp::host filters to deal with Host/:authority headers.
  • Relax some lifetime bounds on Server.
• Fixes:
  • Fix panic when URI doesn't have a slash (for example, CONNECT foo.bar).

v0.2.4

Compare Source

• Features:
  • Add tracing internals in place of log (log is still emitted for backwards compatibility).
  • Add warp::trace module set of filters to customize tracing dianostics.
  • Add path method to warp::fs::File reply.
  • Add source implementation for BodyDeserializeError.
  • Make warp::ws::MissingConnectionUpgrade rejection public.

v0.2.3

Compare Source

• Features:
  • Add warp::compression filters, which will compress response bodies.
  • Add warp::header::value() filter to get a request HeaderValue.
  • Add request_headers method to warp::log::Info.
  • Add max_frame_size to warp::ws::Ws builder.
  • Add remote_addr to warp::test::RequestBuilder.
  • Add try_bind_with_graceful_shutdown to warp::Server builder.
  • Add serve_incoming_with_graceful_shutdown to warp::Server builder.
• Fixes:
  • Fix warp::addr::remote when used with Server::tls.
  • Fix panic in warp::path::{peek, tail, full} filters when the request URI is in authority-form or asterisk-form.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[text-html-renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.