Skip to content

Commit

Permalink
Bridge: remove rustix via clap bump (#1109)
Browse files Browse the repository at this point in the history 
Refs: <https://github.com/svix/svix-webhooks/security/dependabot/74>

Formerly we had a runtime dep on a vulnerable version of `rustix`. This
was transitive, and introduced via `clap`. Bumping clap removed this
dependency from our tree.

There is still one vulnerable version introduced via
`opentelemetry-otlp`, but since it's a build-dep it's less of a concern
(see the advisory for the rationale).

```
$ cargo tree -p [email protected] -i
rustix v0.38.8
└── tempfile v3.7.1
    └── prost-build v0.11.9
        └── tonic-build v0.8.4
            [build-dependencies]
            └── opentelemetry-proto v0.1.0
                └── opentelemetry-otlp v0.11.0
                    └── svix-bridge v1.13.0 (/home/onelson/Projects/svix-webhooks/bridge/svix-bridge)
```

If we can update the various otel-related deps, we might be able to bump
`rustix` or remove it entirely, but that's a bigger lift.
  • Loading branch information
@svix-onelson
svix-onelson authored Oct 19, 2023
2 parents 07cb72e + e154a0c commit 81fcc24
Showing 1 changed file with 10 additions and 23 deletions.
33 changes: 10 additions & 23 deletions bridge/Cargo.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 81fcc24

Please sign in to comment.