Rocket: Cargo Audit Dependencies

Created on 26 Sep 2020  ยท  4Comments  ยท  Source: SergioBenitez/Rocket

Rocket seems to be using outdated dependencies. This leads to two "security" problems found by cargo-audit:

$ cargo audit
[...]
warning: 1 warning found

Crate:  block-cipher-trait
Title:  crate has been renamed to `block-cipher`
Date:   2020-05-26
URL:    https://rustsec.org/advisories/RUSTSEC-2020-0018
Dependency tree: 
block-cipher-trait 0.6.2
โ”œโ”€โ”€ aesni 0.6.0
โ”‚   โ””โ”€โ”€ aes 0.3.2
โ”‚       โ””โ”€โ”€ aes-gcm 0.5.0
โ”‚           โ””โ”€โ”€ cookie 0.11.3
โ”‚               โ””โ”€โ”€ rocket_http 0.4.5
โ”‚                   โ”œโ”€โ”€ rocket_codegen 0.4.5
โ”‚                   โ”‚   โ””โ”€โ”€ rocket 0.4.5
โ”‚                   โ”‚       โ”œโ”€โ”€ rocket_contrib 0.4.5
โ”‚                   โ”‚       โ”‚   โ””โ”€โ”€ my-lovely-crate x.x.x
โ”‚                   โ”‚       โ””โ”€โ”€ my-lovely-crate x.x.x
โ”‚                   โ””โ”€โ”€ rocket 0.4.5
โ”œโ”€โ”€ aes-soft 0.3.3
โ”‚   โ””โ”€โ”€ aes 0.3.2
โ”œโ”€โ”€ aes-gcm 0.5.0
โ””โ”€โ”€ aes 0.3.2

Crate:  net2
Title:  `net2` crate has been deprecated; use `socket2` instead
Date:   2020-05-01
URL:    https://rustsec.org/advisories/RUSTSEC-2020-0016
Dependency tree: 
net2 0.2.35
โ”œโ”€โ”€ miow 0.2.1
โ”‚   โ””โ”€โ”€ mio 0.6.22
โ”‚       โ”œโ”€โ”€ notify 4.0.15
โ”‚       โ”‚   โ””โ”€โ”€ rocket_contrib 0.4.5
โ”‚       โ”‚       โ””โ”€โ”€ my-lovely-crate x.x.x
โ”‚       โ””โ”€โ”€ mio-extras 2.0.6
โ”‚           โ””โ”€โ”€ notify 4.0.15
โ””โ”€โ”€ mio 0.6.22

warning: 1 warning found!

However, the new versions do not only change patch level, but may contain breaking changes.
Maybe some kind of CI check would be helpful, e.g. using cargo-audit or even cargo-deny.

Rocket version: 0.4.5 (latest as of writing)
OS: Linux

upstream
Source
picture Turakar
👍1

Most helpful comment

The first is gone, but the second is still there (in rocket 0.5.0-dev):

warning: 1 warning found

Crate: net2
Title: net2 crate has been deprecated; use socket2 instead
Date: 2020-05-01
URL: https://rustsec.org/advisories/RUSTSEC-2020-0016

picture hpodhaisky on 26 Sep 2020
👍5

All 4 comments

a lot of dependencies have been updated recently, can you run this check against the master branch, too?

igalic picture igalic on 26 Sep 2020
👍1

The first is gone, but the second is still there (in rocket 0.5.0-dev):

warning: 1 warning found

Crate: net2
Title: net2 crate has been deprecated; use socket2 instead
Date: 2020-05-01
URL: https://rustsec.org/advisories/RUSTSEC-2020-0016

hpodhaisky picture hpodhaisky on 26 Sep 2020
👍5

net2 is a dependency of mio which itself is a dependency of tokio; there is nothing we can do to remove our transitive dependency outside of not depending on hyper or tokio. As such, I'm closing this issue. I would suggest raising this issue in the appropriate issue tracker, mio's.

SergioBenitez picture SergioBenitez on 30 Sep 2020

Sorry, my fault. In fact, the problem is that notify did not update to mio 0.7 yet due to the deprecation of mio-extras. I linked the corresponding issue.

Turakar picture Turakar on 1 Oct 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

GoRustafari picture GoRustafari  ยท  3Comments
loothood picture loothood  ยท  4Comments
shssoichiro picture shssoichiro  ยท  4Comments
PSeitz picture PSeitz  ยท  3Comments
incker picture incker  ยท  3Comments