update rustls to fix RUSTSEC-2023-0053

[lightydo]

No description provided.

[JamesHinshelwood]

Hi @daniel-abramov @alexheretic , sorry for the ping. Would it be possible to merge this soon and release a new version, so upstream projects can resolve the vulnerability alert?

[sdroege]

The updated version requirements in Cargo.toml are needed because this function does not exist in older versions? If so, only the version of rustls has to be bumped or not? Why also the bump of tokio-rustls?

[alexheretic]

Yes looks like add_trust_anchors was added in rustls 0.21.6 and add_server_trust_anchors deprecated.

I don't know what changed in tokio-rustls 0.24.1. But it's probably harmless to up the min version anyway 🤷

[sdroege]

If there's no reason then it forces users to update for no reason, and that might actually break something for them if for whatever reason they must use an older version. I wouldn't unnecessarily bump minimum versions.

[ZoeS17]

It looks like a refactor happened around commit 07e8da6e52f0eb76323f77d441bd1a06498b2f1c here's the diff from 0.24.0 to 0.24.1 for tokio-rustls as I could find it.

[sdroege]

IIRC the webpki-roots API is exported somewhere from tokio-tungstenite, so bumping this would require releasing this as a breaking release (i.e. 0.21.0).

[alexheretic]

I don't believe it is exported. I can only see the one usage which is afaics isolated from the public api.

[sdroege]

I misremembered then, sorry :) Thanks for checking

[alexheretic]

lgtm

[agalakhov]

It's time to release new version.