Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix smallvec vulnerability #502

Closed
wants to merge 4 commits into from
Closed

Fix smallvec vulnerability #502

wants to merge 4 commits into from

Conversation

FintanH
Copy link
Contributor

@FintanH FintanH commented Jan 27, 2021
edited

We force the smallvec dependency to be 1.6.1 due to the vulnerability
outlined in the issue here Amanieu/parking_lot#274.
We depend on governor which in turn depends on parking_lot.

Also updating the field db-url to db-urls, and outputting the version of cargo deny for inspection sake.

@FintanH
Output cargo deny version
f773c2d 
Signed-off-by: Fintan Halpenny <fintan.halpenny@gmail.com>
@FintanH FintanH requested a review from a team as a code owner January 27, 2021 11:25
@FintanH
Use db-urls
c441e47 
The field db-url is deprecated and db-urls should be used instead.

Signed-off-by: Fintan Halpenny <fintan.halpenny@gmail.com>
@FintanH
Use smallvec 1.6.1
fd6b16e 
We force the smallvec dependency to be 1.6.1 due to the vulnerability
outlined in the issue here
Amanieu/parking_lot#274. We depend on governor
which in turn depends on parking_lot.

Signed-off-by: Fintan Halpenny <fintan.halpenny@gmail.com>
@FintanH FintanH changed the title Output cargo deny version Fix smallvec vulnerability Jan 27, 2021
kim
kim reviewed Jan 27, 2021
View reviewed changes
librad/Cargo.toml Outdated
# parking_lot, which depends on smallvec. There is vulnerability
# in v1.0 and so we're forcing cargo to use this version instead.
[dependencies.smallvec]
version = "1.6.1"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we say >= 1.6.1, 1.6?

Also, how do we know this is no longer needed? Can we know? What can we know? Are we?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we say >= 1.6.1, 1.6?

Ya, >= 1.6.1 would include the fix 👍

Also, how do we know this is no longer needed? Can we know? What can we know? Are we?

lol, I'll include this link boinkor-net/governor#60. Once that's in and bumped we could drop this.

@FintanH
Improve bounds
7941d09 
And link governor issue.

Signed-off-by: Fintan Halpenny <fintan.halpenny@gmail.com>
@FintanH
Copy link
Contributor Author

FintanH commented Jan 28, 2021

Closed via 41c216b

@FintanH FintanH closed this Jan 28, 2021
@FintanH FintanH deleted the deny-version branch January 28, 2021 14:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kim kim kim approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@FintanH @kim