Record cargo-vet violations for older zstd versions #8278
Conversation
When I tried to audit our previous exemption for zstd, I found two buffer overruns which were reachable from safe Rust, although not reachable from Wasmtime. I got them fixed upstream but didn't update our cargo-vet audits to reflect the issue with the older versions. Alex updated our dependencies to pull in the fixed versions in bytecodealliance#7870, and this PR notes for the benefit of anyone importing the Bytecode Alliance audit set that older versions should not be used. See gyscos/zstd-rs#231
|
I'm confused by the CI failure here. I ran |
There was a problem hiding this comment.
I personally get pretty confused with the interfactions of our configuration and new crates we add. I think it's an unfortunate interaction by how when a new crate is added it's not published on crates.io but then later on once it gets published we need new configuration, but only after it's later been published. Or... something like that? I've never bottomed it out to fully understand what's happening here, I tend to just throw things at the wall and see what sticks.
|
You may need to remove |
When I tried to audit our previous exemption for zstd, I found two buffer overruns which were reachable from safe Rust, although not reachable from Wasmtime. I got them fixed upstream but didn't update our cargo-vet audits to reflect the issue with the older versions.
Alex updated our dependencies to pull in the fixed versions in #7870, and this PR notes for the benefit of anyone importing the Bytecode Alliance audit set that older versions should not be used.
See gyscos/zstd-rs#231