Skip to content
This repository was archived by the owner on Aug 3, 2023. It is now read-only.

Get the audit CI job passing #2151

Merged
merged 3 commits into from
Dec 13, 2021
Merged

Get the audit CI job passing #2151

merged 3 commits into from
Dec 13, 2021

Conversation

jyn514
Copy link
Contributor

@jyn514 jyn514 commented Dec 7, 2021

Note that I didn't say "fix the vulnerabilities" - this just ignores the chrono and time vulnerabilities because they're both very hard to fix and not very common in practice.

This uncovered a tokio vulnerability, which I've fixed by upgrading tokio.

cc #2117
@jyn514
Update tokio
04b39f2 
This fixes the following `cargo audit` warning:

```
Crate:         tokio
Version:       1.13.0
Title:         Data race when sending and receiving after closing a `oneshot` channel
Date:          2021-11-16
ID:            RUSTSEC-2021-0124
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0124
Solution:      Upgrade to >=1.8.4, <1.9.0 OR >=1.13.1
```

Versions changed:

```
Updating tokio v1.13.0 -> v1.14.0
Updating tokio-macros v1.5.1 -> v1.6.0
```
@jyn514 jyn514 requested a review from a team as a code owner December 7, 2021 20:54
@jyn514
Ignore warnings about localtime_r not actually being threadsafe
071e19b 
These can't be fixed for now, and are causing us to miss more important audit vulnerabilities.
@threepointone threepointone merged commit f41ec5e into master Dec 13, 2021
@delete-merged-branch delete-merged-branch bot deleted the jnelson/audit branch December 13, 2021 09:19
@threepointone threepointone mentioned this pull request Dec 16, 2021
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

3 participants

@jyn514 @threepointone @taylorlee