Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolve security advisories #3746

Merged
merged 2 commits into from
Mar 19, 2025
Merged

Resolve security advisories #3746

merged 2 commits into from
Mar 19, 2025

Conversation

tgeoghegan
Copy link
Contributor

Resolve outstanding security advisories (1, 2, 3) that cause build failures (4). See individual commits for discussion.

@tgeoghegan tgeoghegan requested a review from a team as a code owner March 19, 2025 17:51
@tgeoghegan
disable unused sqlx drivers
1944912 
`sqlx-mysql` pulls in the vulnerable `rsa` crate. Janus only works with
PostgreSQL, so we don't need that driver at all. `janus_aggregator_core`
already enables the slim feature set we need, so we add
`default-features = false` to the workspace level dependency to turn off
the rest (`cargo` is unhappy if we put `default-features = false` in
`aggregator_core/Cargo.toml`).

Note that due to an outstanding `cargo` issue ([1], [2]), `sqlx-mysql` and
`sqlx-sqlite` still appear in `Cargo.lock`, but are never used or even
compiled.

[1]: launchbadge/sqlx#2579
[2]: rust-lang/cargo#10801
@tgeoghegan
add cargo deny advisories exemption for protobuf
6b21b61 
We can't update the dependency until `opentelemetry-prometheus` either
moves to a fixed `protobuf` or adds a feature letting us opt out of
protobuf support. Either way, this advisory doesn't apply to Janus per
the reasoning in deny.toml.
@tgeoghegan tgeoghegan force-pushed the timg/security-advisories branch from d4e1445 to 6b21b61 Compare March 19, 2025 17:55
@tgeoghegan
Copy link
Contributor Author

We still have the advisory for backoff firing, but we have work underway to resolve that.

@tgeoghegan tgeoghegan enabled auto-merge (squash) March 19, 2025 17:59
@tgeoghegan tgeoghegan merged commit 1b08c0d into main Mar 19, 2025
7 of 8 checks passed
@tgeoghegan tgeoghegan deleted the timg/security-advisories branch March 19, 2025 18:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@divergentdave divergentdave divergentdave approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tgeoghegan @divergentdave