Conversation
There was a problem hiding this comment.
Pull request overview
This PR addresses dependency audit findings by updating Rust dependencies (notably scratchstack-aws-signature and mysql_async), adjusting the AWS XKS SigV4 middleware to the new scratchstack-aws-signature validation API, and refreshing Nix vendor hashes accordingly.
Changes:
- Update
scratchstack-aws-signatureto0.11(and related lockfile updates) and adjust AWS XKS SigV4 request validation code to match the new API. - Update
mysql_asyncto0.36.2and enablejsonwebtoken’suse_pemfeature. - Refresh Nix expected vendor hashes and update
cargo-denyadvisory ignore configuration.
Reviewed changes
Copilot reviewed 10 out of 11 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| nix/expected-hashes/ui.vendor.non-fips.sha256 | Updated Nix vendoring hash for non-FIPS UI inputs. |
| nix/expected-hashes/ui.vendor.fips.sha256 | Updated Nix vendoring hash for FIPS UI inputs. |
| nix/expected-hashes/ui.pnpm.linux.sha256 | Updated Nix pnpm dependency hash (Linux). |
| nix/expected-hashes/ui.pnpm.darwin.sha256 | Updated Nix pnpm dependency hash (macOS). |
| nix/expected-hashes/server.vendor.static.sha256 | Updated Nix vendoring hash for server static build inputs. |
| nix/expected-hashes/cli.vendor.linux.sha256 | Updated Nix vendoring hash for CLI inputs (Linux). |
| deny.toml | Adjusted ignored RustSec advisory to match updated dependency graph. |
| crate/server/src/routes/aws_xks/sigv4_middleware.rs | Migrated SigV4 verification to sigv4_validate_request flow. |
| crate/server_database/Cargo.toml | Bumped mysql_async patch version. |
| Cargo.toml | Updated scratchstack-aws-signature version and enabled jsonwebtoken use_pem. |
| Cargo.lock | Lockfile refresh reflecting dependency upgrades and transitive changes. |
HatemMn
force-pushed
the
fix/rust_audit_issues
branch
from
9d92b76 to
63141e1
Compare
|
dacut/scratchstack-aws-signature#20 has been merged and a version 0.11.4 of |
| rand = "0.9" | ||
| reqwest = { version = "0.12", default-features = false } | ||
| scratchstack-aws-signature = "=0.10" # Must stay 0.10 for now (Feb 2026) | ||
| scratchstack-aws-signature = "0.11" |
There was a problem hiding this comment.
As the comment says, it must stay on 0.10 for now. @bgrieder did not upgrade on 0.11 on purpose. Especially now we did the real tests with s3 environment and other AWS services.
|
it's easier to restart a new PR than fix this one, opening #876 and closing this |
FIX 1
Fixes
to
RUSTSEC-2025-0009 is a vulenaribility which makes the other rustsec less "important" to fix
I submited a PR to update this encoding library dacut/scratchstack-aws-signature#20
FIX 2
There is also another warning : I submitted a fix PR and the maintainer was quick to react and accept it :
blackbeam/mysql_async#390
This was done by following this migration : https://docs.rs/scratchstack-aws-signature/0.11.3/scratchstack_aws_signature/migration/index.html
NOTE : the only "difference" is that the timeout that used to be 5 minutes is now also delegated to the libray and is now 15 minutes instead by default which is more permissive and hence ok