New cargo audit failures on CI (RUSTSEC-2023-0052 & RUSTSEC-2023-0053) #4651
Comments
|
libp2p tracking issue: libp2p/rust-libp2p#4375 |
bors bot
pushed a commit
that referenced
this issue
Aug 24, 2023
## Issue Addressed Temporary ignore for #4651. We are unaffected, and upstream will be patched in a few days. ## Proposed Changes - Ignore cargo audit failures (ublocks CI) - Use `--locked` when building with `cross`. We use `--locked` for regular builds, and I think excluding it from `cross` was just an oversight. I think for consistent builds it makes sense to use `--locked` while building. This is particularly relevant for release binaries, which otherwise will just use a random selection of dependencies that exist on build day (near impossible to recreate if we had to).
bors bot
pushed a commit
that referenced
this issue
Aug 24, 2023
## Issue Addressed Temporary ignore for #4651. We are unaffected, and upstream will be patched in a few days. ## Proposed Changes - Ignore cargo audit failures (ublocks CI) - Use `--locked` when building with `cross`. We use `--locked` for regular builds, and I think excluding it from `cross` was just an oversight. I think for consistent builds it makes sense to use `--locked` while building. This is particularly relevant for release binaries, which otherwise will just use a random selection of dependencies that exist on build day (near impossible to recreate if we had to).
bors bot
pushed a commit
that referenced
this issue
Sep 22, 2023
## Issue Addressed Synchronize dependencies and edition on the workspace `Cargo.toml` ## Proposed Changes with rust-lang/cargo#8415 merged it's now possible to synchronize details on the workspace `Cargo.toml` like the metadata and dependencies. By only having dependencies that are shared between multiple crates aligned on the workspace `Cargo.toml` it's easier to not miss duplicate versions of the same dependency and therefore ease on the compile times. ## Additional Info this PR also removes the no longer required direct dependency of the `serde_derive` crate. should be reviewed after #4639 get's merged. closes #4651 Co-authored-by: Michael Sproul <[email protected]> Co-authored-by: Michael Sproul <[email protected]>
bors bot
pushed a commit
that referenced
this issue
Sep 22, 2023
## Issue Addressed Synchronize dependencies and edition on the workspace `Cargo.toml` ## Proposed Changes with rust-lang/cargo#8415 merged it's now possible to synchronize details on the workspace `Cargo.toml` like the metadata and dependencies. By only having dependencies that are shared between multiple crates aligned on the workspace `Cargo.toml` it's easier to not miss duplicate versions of the same dependency and therefore ease on the compile times. ## Additional Info this PR also removes the no longer required direct dependency of the `serde_derive` crate. should be reviewed after #4639 get's merged. closes #4651 Co-authored-by: Michael Sproul <[email protected]> Co-authored-by: Michael Sproul <[email protected]>
bors bot
pushed a commit
that referenced
this issue
Sep 22, 2023
## Issue Addressed Synchronize dependencies and edition on the workspace `Cargo.toml` ## Proposed Changes with rust-lang/cargo#8415 merged it's now possible to synchronize details on the workspace `Cargo.toml` like the metadata and dependencies. By only having dependencies that are shared between multiple crates aligned on the workspace `Cargo.toml` it's easier to not miss duplicate versions of the same dependency and therefore ease on the compile times. ## Additional Info this PR also removes the no longer required direct dependency of the `serde_derive` crate. should be reviewed after #4639 get's merged. closes #4651 Co-authored-by: Michael Sproul <[email protected]> Co-authored-by: Michael Sproul <[email protected]>
bors bot
pushed a commit
that referenced
this issue
Sep 22, 2023
## Issue Addressed Synchronize dependencies and edition on the workspace `Cargo.toml` ## Proposed Changes with rust-lang/cargo#8415 merged it's now possible to synchronize details on the workspace `Cargo.toml` like the metadata and dependencies. By only having dependencies that are shared between multiple crates aligned on the workspace `Cargo.toml` it's easier to not miss duplicate versions of the same dependency and therefore ease on the compile times. ## Additional Info this PR also removes the no longer required direct dependency of the `serde_derive` crate. should be reviewed after #4639 get's merged. closes #4651 Co-authored-by: Michael Sproul <[email protected]> Co-authored-by: Michael Sproul <[email protected]>
bors bot
pushed a commit
that referenced
this issue
Sep 22, 2023
## Issue Addressed Synchronize dependencies and edition on the workspace `Cargo.toml` ## Proposed Changes with rust-lang/cargo#8415 merged it's now possible to synchronize details on the workspace `Cargo.toml` like the metadata and dependencies. By only having dependencies that are shared between multiple crates aligned on the workspace `Cargo.toml` it's easier to not miss duplicate versions of the same dependency and therefore ease on the compile times. ## Additional Info this PR also removes the no longer required direct dependency of the `serde_derive` crate. should be reviewed after #4639 get's merged. closes #4651 Co-authored-by: Michael Sproul <[email protected]> Co-authored-by: Michael Sproul <[email protected]>
|
Completed in #4650 🎉 |
Woodpile37
pushed a commit
to Woodpile37/lighthouse
that referenced
this issue
Jan 6, 2024
## Issue Addressed Synchronize dependencies and edition on the workspace `Cargo.toml` ## Proposed Changes with rust-lang/cargo#8415 merged it's now possible to synchronize details on the workspace `Cargo.toml` like the metadata and dependencies. By only having dependencies that are shared between multiple crates aligned on the workspace `Cargo.toml` it's easier to not miss duplicate versions of the same dependency and therefore ease on the compile times. ## Additional Info this PR also removes the no longer required direct dependency of the `serde_derive` crate. should be reviewed after sigp#4639 get's merged. closes sigp#4651 Co-authored-by: Michael Sproul <[email protected]> Co-authored-by: Michael Sproul <[email protected]>
Woodpile37
pushed a commit
to Woodpile37/lighthouse
that referenced
this issue
Jan 6, 2024
## Issue Addressed Temporary ignore for sigp#4651. We are unaffected, and upstream will be patched in a few days. ## Proposed Changes - Ignore cargo audit failures (ublocks CI) - Use `--locked` when building with `cross`. We use `--locked` for regular builds, and I think excluding it from `cross` was just an oversight. I think for consistent builds it makes sense to use `--locked` while building. This is particularly relevant for release binaries, which otherwise will just use a random selection of dependencies that exist on build day (near impossible to recreate if we had to).
Woodpile37
pushed a commit
to Woodpile37/lighthouse
that referenced
this issue
Jan 6, 2024
Synchronize dependencies and edition on the workspace `Cargo.toml` with rust-lang/cargo#8415 merged it's now possible to synchronize details on the workspace `Cargo.toml` like the metadata and dependencies. By only having dependencies that are shared between multiple crates aligned on the workspace `Cargo.toml` it's easier to not miss duplicate versions of the same dependency and therefore ease on the compile times. this PR also removes the no longer required direct dependency of the `serde_derive` crate. should be reviewed after sigp#4639 get's merged. closes sigp#4651 Co-authored-by: Michael Sproul <[email protected]> Co-authored-by: Michael Sproul <[email protected]>
Woodpile37
pushed a commit
to Woodpile37/lighthouse
that referenced
this issue
Jan 6, 2024
## Issue Addressed Temporary ignore for sigp#4651. We are unaffected, and upstream will be patched in a few days. ## Proposed Changes - Ignore cargo audit failures (ublocks CI) - Use `--locked` when building with `cross`. We use `--locked` for regular builds, and I think excluding it from `cross` was just an oversight. I think for consistent builds it makes sense to use `--locked` while building. This is particularly relevant for release binaries, which otherwise will just use a random selection of dependencies that exist on build day (near impossible to recreate if we had to).
Woodpile37
pushed a commit
to Woodpile37/lighthouse
that referenced
this issue
Jan 6, 2024
Synchronize dependencies and edition on the workspace `Cargo.toml` with rust-lang/cargo#8415 merged it's now possible to synchronize details on the workspace `Cargo.toml` like the metadata and dependencies. By only having dependencies that are shared between multiple crates aligned on the workspace `Cargo.toml` it's easier to not miss duplicate versions of the same dependency and therefore ease on the compile times. this PR also removes the no longer required direct dependency of the `serde_derive` crate. should be reviewed after sigp#4639 get's merged. closes sigp#4651 Co-authored-by: Michael Sproul <[email protected]> Co-authored-by: Michael Sproul <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Failing cargo audit CI job
https://github.com/sigp/lighthouse/actions/runs/5943983318/job/16120312336
https://rustsec.org/advisories/RUSTSEC-2023-0052
https://rustsec.org/advisories/RUSTSEC-2023-0053
The text was updated successfully, but these errors were encountered: