Conversation
0xPoe
commented
Jun 30, 2023
0xPoe
commented
- Bump the openssl v0.10.52 -> v0.10.55 to address the security alert. https://github.com/rust-lang/rustup/security/dependabot
- Bump proc-macro2 v1.0.51 -> v1.0.63 to make rustup complile. See Delete use of proc_macro::Span::before/after dtolnay/proc-macro2#391.
Signed-off-by: hi-rustin <rustin.liu@gmail.com>
Signed-off-by: hi-rustin <rustin.liu@gmail.com>
I updated it with ➜ rustup git:(master) cargo tree -i -p openssl --target all
openssl v0.10.55
└── native-tls v0.2.11
├── hyper-tls v0.5.0
│ └── reqwest v0.11.17
│ └── download v1.26.0 (/Volumes/t7/code/rustup/download)
│ └── rustup v1.26.0 (/Volumes/t7/code/rustup)
├── reqwest v0.11.17 (*)
└── tokio-native-tls v0.3.1
├── hyper-tls v0.5.0 (*)
└── reqwest v0.11.17 (*)We only have one version Thanks for your review! 💚 💙 💜 💛 ❤️ |
|
Yep but it depends on whether or not we allow openssl older 0.10.55 to be built with rustup. Some pros:
The counterargument is obviously we then force everyone use 0.10.55 or newer. |
|
I'd say it must be pretty rare that people build rustup on their own, but still there AFAIK. |
For this case, the CI may help us to avoid this kind of situation.
We already checked the lock file in our repo. Do you mean users will use it as a package? |
weihanglo
left a comment
weihanglo
left a comment
There was a problem hiding this comment.
Yes. As a dependency. Cargo usually tries to make them in sync for the manifest and the lockfile. It's not really a big deal. So go ahead!
The use of rustup as a dependency should be rare. Thank you for your review. |
2 participants
