Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please update dependencies to non-vulnerable versions #49

Closed
antifuchs opened this issue May 8, 2022 · 5 comments
Closed

Please update dependencies to non-vulnerable versions #49

antifuchs opened this issue May 8, 2022 · 5 comments

Comments

@antifuchs
Copy link

Currently, running cargo deny check advisories on a rust project that uses the starlark crate results in errors about RUSTSEC advisories, both of them fixed by now:

Would it be possible to bump those versions?
@ndmitchell
Copy link
Contributor

Thanks for putting together that list. Happily, wen can upgrade to the latest version of both those packages without any code changes, so I've shoved up an internal diff to do so (it will be mirrored open source as soon as someone accepts it, sometime Monday probably). Would it be useful to get a release with those changes included?

I would if this should go into our CI? Annoying that it requires installing cargo-deny though, would be much easier if it was a standard part of Cargo.

@antifuchs
Copy link
Author

Thanks for pushing that changeset in - look forward to it landing here. A release when it lands would be amazing - I'm in the process of porting to starlark 0.7 myself (:

Not sure if your CI uses github actions internally (my guess is no), but if running cargo check on the OSS repo is sufficient for you, I use cargo deny in governor here, using the github action published by EmbarkStudios: https://github.com/antifuchs/governor/blob/master/.github/workflows/ci_push.yml#L53-L60. That has a cached install of cargo-deny, isn't tedious it doesn't take a long time to run.

@ndmitchell
Copy link
Contributor

Cool, will release once it lands (I think it's probably a 0.8 as there are probably some minor breaking changes, but I'll double check).

Running cargo check in the OSS repo seems good enough, that action looks pretty good, so I'll take a go at integrating it.

facebook-github-bot pushed a commit that referenced this issue May 9, 2022
@ndmitchell @facebook-github-bot
Upgrade past vulnerable versions of dependencies
a74f58b 
Summary: As reported at #49

Reviewed By: stepancheg

Differential Revision: D36235985

fbshipit-source-id: 5d3f288e53ab02a168e400b07b8403f2df0783b7
facebook-github-bot pushed a commit to facebook/buck2 that referenced this issue May 9, 2022
@ndmitchell @facebook-github-bot
Upgrade past vulnerable versions of dependencies
58f6aa2 
Summary: As reported at facebook/starlark-rust#49

Reviewed By: stepancheg

Differential Revision: D36235985

fbshipit-source-id: 5d3f288e53ab02a168e400b07b8403f2df0783b7
@ndmitchell
Copy link
Contributor

Fixed in a74f58b and a release of 0.8 with the changes.

facebook-github-bot pushed a commit that referenced this issue May 16, 2022
@ndmitchell @facebook-github-bot
Run some CI checks about advisories
959865f 
Summary: Based on a request in #49

Reviewed By: krallin

Differential Revision: D36400473

fbshipit-source-id: c2c03cd00572e039e94b7f2b3f7e1b68b57116be
facebook-github-bot pushed a commit to facebook/buck2 that referenced this issue May 16, 2022
@ndmitchell @facebook-github-bot
Run some CI checks about advisories
5a9a7a8 
Summary: Based on a request in facebook/starlark-rust#49

Reviewed By: krallin

Differential Revision: D36400473

fbshipit-source-id: c2c03cd00572e039e94b7f2b3f7e1b68b57116be
@ndmitchell
Copy link
Contributor

Tests added to CI in 959865f

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@antifuchs @ndmitchell