Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Out-of-date dependencies #1712

Closed
paulhauner opened this issue Oct 3, 2020 · 5 comments
Closed

Out-of-date dependencies #1712

paulhauner opened this issue Oct 3, 2020 · 5 comments
Labels
A0 security

Comments

@paulhauner
Copy link
Member

Description

We currently have several out-of-date dependencies which cannot be updated for various reasons. Whilst there's no immediate cause for concern, it's ideal for us to unblock these updates. This issue tracks these blockers.

  • db-key: cannot be upgraded since leveldb uses 0.0.5.
  • ring: cannot update since it requires a version of cc that cannot be reconciled with the web3 crate
  • web3: cannot update since the later versions removed support for IPC and it has yet to be reintroduced.
  • enr: we maintain this crate and have chosen not to update it at this time.
  • discv5: as above.
@paulhauner paulhauner mentioned this issue Oct 3, 2020
Closed
bors bot pushed a commit that referenced this issue Oct 5, 2020
@paulhauner
Update external deps (#1711)
1adad33 
## Issue Addressed

- Resolves #1706 

## Proposed Changes

Updates dependencies across the workspace. Any crate that was not able to be brought to the latest version is listed in #1712.

## Additional Info

NA
bors bot pushed a commit that referenced this issue Oct 5, 2020
@paulhauner
Update external deps (#1711)
ee7c8a0 
## Issue Addressed

- Resolves #1706 

## Proposed Changes

Updates dependencies across the workspace. Any crate that was not able to be brought to the latest version is listed in #1712.

## Additional Info

NA
@paulhauner paulhauner removed the A1 label Nov 8, 2020
@paulhauner paulhauner mentioned this issue Nov 8, 2020
Closed
@paulhauner paulhauner added the A0 label Nov 9, 2020
@blacktemplar blacktemplar mentioned this issue Dec 1, 2020
Closed
@blacktemplar
Copy link
Contributor

blacktemplar commented Dec 1, 2020
edited

Update:

Some out of date dependencies get updated here: #2032

A list of out of date dependencies that can't get updated currently:

Dependency Blocking Reson
bytes 0.5.6→0.6.0 reqwest requires bytes ^0.5 (seanmonstar/reqwest#1076)
db-key 0.0.5→0.1.0 leveldb requires db-key ^0.0.5 (skade/leveldb#14)
flate2 1.0.14→1.0.19 zip requires flate2 <= 1.0.14 (https://github.com/zip-rs/zip/blob/f5061c25e92c8808f27afbc7ea42f0bdc563c9c4/Cargo.toml#L15)
tokio-util 0.4.0→0.5.0 requires bytes ^0.6 which conflicts with libp2ps requirement bytes ^0.5. Furthermore libp2p can't update to bytes ^0.6 because futures_codec requires bytes ^0.5 (matthunz/futures-codec#51)
unsigned-varint fork tokio-util updated to 0.4.0 + other updates (needed for tokio 0.3) (paritytech/unsigned-varint#38)
libp2p fork gossipsub implementation (libp2p/rust-libp2p#1720)
warp fork update to tokio 0.3 (seanmonstar/warp#753, seanmonstar/warp#741)
milagro_bls fork why not submit to crates.io @kirk-baird?

@kirk-baird
Copy link
Member

That's a good question, I'm happy to have it on crates.io, what are your thoughts @paulhauner?

Also it is worth updating milagro_bls to v1.4.1 from v1.4.0 as it fixes naming issues for windows users. (i.e. removes :)

bors bot pushed a commit that referenced this issue Dec 7, 2020
@blacktemplar
update dependencies (#2032)
a28e8de 
## Issue Addressed

NA

## Proposed Changes

Updates out of date dependencies.

## Additional Info

See also #1712 for a list of dependencies that are still out of date and the resasons.
@blacktemplar
Copy link
Contributor

I just saw that the web3 got updated in #1989, updated the table :)

This was referenced Dec 10, 2020
Closed
Closed
@michaelsproul
Copy link
Member

I just saw that the web3 got updated in #1989, updated the table :)

Mere hours after you did, they released a new version, 0.14! 😩 It doesn't help us much (no IPC, no Tokio 0.3), so I don't think we need to rush to update: https://github.com/tomusdrw/rust-web3/releases/tag/v0.14.0

@blacktemplar blacktemplar mentioned this issue Dec 12, 2020
Closed
bors bot pushed a commit that referenced this issue Dec 14, 2020
@blacktemplar
Update dependencies (#2084)
29fd27b 
## Issue Addressed

Partially addresses dependencies mentioned in issue #1712.

## Proposed Changes

Updates dependencies (including an update avoiding a vulnerability) + add tokio compatibility to `remote_signer_test`
bors bot pushed a commit that referenced this issue Dec 14, 2020
@blacktemplar
Update dependencies (#2084)
701843a 
## Issue Addressed

Partially addresses dependencies mentioned in issue #1712.

## Proposed Changes

Updates dependencies (including an update avoiding a vulnerability) + add tokio compatibility to `remote_signer_test`
@realbigsean realbigsean mentioned this issue Jan 15, 2021
Draft
@realbigsean realbigsean mentioned this issue Jan 25, 2021
Closed
bors bot pushed a commit that referenced this issue Feb 10, 2021
@realbigsean
Update to tokio 1.1 (#2172)
e20f64b 
## Issue Addressed

resolves #2129
resolves #2099 
addresses some of #1712
unblocks #2076
unblocks #2153 

## Proposed Changes

- Updates all the dependencies mentioned in #2129, except for web3. They haven't merged their tokio 1.0 update because they are waiting on some dependencies of their own. Since we only use web3 in tests, I think updating it in a separate issue is fine. If they are able to merge soon though, I can update in this PR. 

- Updates `tokio_util` to 0.6.2 and `bytes` to 1.0.1.

- We haven't made a discv5 release since merging tokio 1.0 updates so I'm using a commit rather than release atm. **Edit:** I think we should merge an update of `tokio_util` to 0.6.2 into discv5 before this release because it has panic fixes in `DelayQueue`  --> PR in discv5:  sigp/discv5#58

## Additional Info

tokio 1.0 changes that required some changes in lighthouse:

- `interval.next().await.is_some()` -> `interval.tick().await`
- `sleep` future is now `!Unpin` -> tokio-rs/tokio#3028
- `try_recv` has been temporarily removed from `mpsc` -> tokio-rs/tokio#3350
- stream features have moved to `tokio-stream` and `broadcast::Receiver::into_stream()` has been temporarily removed -> `tokio-rs/tokio#2870
- I've copied over the `BroadcastStream` wrapper from this PR, but can update to use `tokio-stream` once it's merged tokio-rs/tokio#3384

Co-authored-by: realbigsean <seananderson33@gmail.com>
bors bot pushed a commit that referenced this issue Nov 5, 2021
@bachp
Add cargo vendor test (#2076)
2ed6775 
## Issue Addressed

This is related to #1926 and #1712.

## Proposed Changes

This PR adds a test that make sure that the used dependencies can be vendored.

Being able to vendor the dependencies is important for archival and repdroducibility purpose.
It's also required to package lighthouse for some Linux distributions. Specifically [NixOS](https://nixos.org/) and [Yocto](https://www.yoctoproject.org/).

## Additional Info

This PR only adds the test, it doesn't clean up the dependencies yet. That's why it is in draft.
@michaelsproul
Copy link
Member

Closing this as it's out of date and I don't think we need it: we have cargo audit for urgent updates and gardening PRs like #3136 for ongoing maintenance updates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A0 security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@blacktemplar @michaelsproul @paulhauner @kirk-baird