Please update dependencies #330

nazar-pc · 2025-02-24T08:12:57Z

The dependencies used here are outdated and should be updated:

ring 0.16 is old and doesn't compile on some targets + results in duplicated dependencies been built for Substrate users
rustls 0.20 is also old and has known CVE attached to it, which while not applicable, requires active suppression and results in duplicated dependencies for Substrate users

The most frustrating thing is that we don't even use litep2p, it gets pulled with Substrate unconditionally and we have to struggle from this for no reason 😕

Please consider updating these ASAP and bump the version in Substrate accordingly

nazar-pc · 2025-03-07T11:15:01Z

Another security advisory from ring 0.16 caused by litep2p: https://rustsec.org/advisories/RUSTSEC-2025-0009.html

lexnv · 2025-03-07T11:55:35Z

Hey Nazar! Apologies for the inconvenience, I will have a look at upgrading our dependencies soon!

The following crates are made optional, depending on the Quic feature flag: - ring - rustls This effectively ensures that litep2p is not leaking outdated dependencies for experimental features (ie quic). Closes: #330 cc @paritytech/networking --------- Signed-off-by: Alexandru Vasile <[email protected]>

nazar-pc mentioned this issue Feb 24, 2025

Selectively update a few dependencies to remove some RUSTSEC advisory supressions autonomys/subspace#3404

Merged

1 task

lexnv mentioned this issue Mar 13, 2025

features: Move quic related dependencies under feature flag #359

Merged

lexnv closed this as completed in #359 Mar 31, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Please update dependencies #330

Please update dependencies #330

nazar-pc commented Feb 24, 2025

nazar-pc commented Mar 7, 2025

lexnv commented Mar 7, 2025

Please update dependencies #330

Please update dependencies #330

Comments

nazar-pc commented Feb 24, 2025

nazar-pc commented Mar 7, 2025

lexnv commented Mar 7, 2025