Skip to content

fix(deps): update RustSec vulnerable dependencies#6664

Open
abisheik687 wants to merge 1 commit into
graphprotocol:masterfrom
abisheik687:fix-rustsec-quinn-tokio-postgres
Open

fix(deps): update RustSec vulnerable dependencies#6664
abisheik687 wants to merge 1 commit into
graphprotocol:masterfrom
abisheik687:fix-rustsec-quinn-tokio-postgres

Conversation

@abisheik687

Copy link
Copy Markdown

Summary

Updates the vulnerable Rust dependencies reported in #6650:

  • quinn-proto from 0.11.14 to 0.11.15
  • tokio-postgres from 0.7.15 to 0.7.18
  • required transitive postgres/crypto crates to versions compatible with tokio-postgres 0.7.18

Notes

The primary goal is to resolve the RustSec advisories for quinn-proto and tokio-postgres while keeping the change limited to Cargo.lock.

Testing

Not run locally: cargo/rustc were not available in my local environment. This should be validated by CI with cargo check/workspace checks.

Closes #6650.

@lutter

lutter commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

The build for this fails. I get:

>just lint
cargo clippy --all-targets
error: failed to select a version for `libredox`.
    ... required by package `whoami v2.0.1`
    ... which satisfies dependency `whoami = "^2.0.1"` of package `tokio-postgres v0.7.18`
    ... which satisfies dependency `tokio-postgres = "^0.7.10"` (locked to 0.7.18) of package `diesel-async v0.9.2`
    ... which satisfies dependency `diesel-async = "^0.9.0"` (locked to 0.9.2) of package `graph-node v0.44.0 (/home/lutter/code/graph-node/repo/node)`
    ... which satisfies path dependency `graph-node` (locked to 0.44.0) of package `gnd v0.44.0 (/home/lutter/code/graph-node/repo/gnd)`
versions that meet the requirements `^0.1.12` are: 0.1.18, 0.1.17, 0.1.16, 0.1.15, 0.1.14, 0.1.13, 0.1.12

all possible versions conflict with previously selected packages.

  previously selected package `libredox v0.1.3`
    ... which satisfies dependency `libredox = "^0.1.3"` (locked to 0.1.3) of package `redox_users v0.4.5`
    ... which satisfies dependency `redox_users = "^0.4"` (locked to 0.4.5) of package `dirs-sys v0.4.1`
    ... which satisfies dependency `dirs-sys = "^0.4.1"` (locked to 0.4.1) of package `dirs v5.0.1`
    ... which satisfies dependency `dirs = ">=4, <7"` (locked to 5.0.1) of package `shellexpand v3.1.2`
    ... which satisfies dependency `shellexpand = "^3.1.2"` (locked to 3.1.2) of package `graph-node v0.44.0 (/home/lutter/code/graph-node/repo/node)`
    ... which satisfies path dependency `graph-node` (locked to 0.44.0) of package `gnd v0.44.0 (/home/lutter/code/graph-node/repo/gnd)`

failed to select a version for `libredox` which could resolve this conflict
error: recipe `lint` failed on line 11 with exit code 101

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

RUSTSEC-2026-0185: Remote memory exhaustion in quinn-proto from unbounded out-of-order stream reassembly

2 participants