chore(deps): cargo update + drop unmaintained rustls-pemfile#8
Merged
Conversation
Refresh Cargo.lock to the latest semver-compatible versions of all dependencies (no Cargo.toml constraint changes). Notable bumps include tokio 1.52.1 -> 1.52.3, postgres-types 0.2.13 -> 0.2.14, rust_decimal 1.41.0 -> 1.42.1, reqwest 0.13.3 -> 0.13.4, and tower-http 0.6.8 -> 0.6.11. cargo build, clippy --all-targets -D warnings, fmt --check, and the full test suite (against Trino 479) all pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
cargo-deny flagged three issues against the current advisory DB. The cargo update commit already resolves the postgres-protocol (>=0.6.12) and tokio-postgres (RUSTSEC-2026-0178, >=0.7.18) advisories. This commit handles the remaining two: - rustls-pemfile is unmaintained (RUSTSEC-2025-0134) with no safe upgrade. It is now a thin wrapper around rustls-pki-types, which we already depend on. Migrate src/tls.rs to the rustls-pki-types PemObject API (CertificateDer::pem_file_iter / PrivateKeyDer::from_pem_file, behind the `std` feature) and drop the rustls-pemfile dependency. - Allow "Apache-2.0 WITH LLVM-exception" in deny.toml. It is pulled in via psm/stacker (sqlparser's recursion guard) and is Apache-2.0-compatible. cargo deny check now reports advisories/bans/licenses/sources all ok; build, clippy -D warnings, fmt, and the full test suite (incl. the TLS keypair tests, against Trino 479) pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
lfrancke
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Bring the dependency tree back to a green
cargo-denyagainst the current advisory DB. (mainis currently red against today's DB — these advisories post-date the last run.)Two commits:
cargo update— refreshCargo.lockto latest semver-compatible versions. Resolves two advisories:postgres-protocol→ 0.6.12, andtokio-postgres→ 0.7.18 (RUSTSEC-2026-0178, a DoS panic on a shortDataRow). NoCargo.tomlconstraint changes here.rustls-pemfile(RUSTSEC-2025-0134, no safe upgrade) — it is now a thin wrapper aroundrustls-pki-types, which we already depend on.src/tls.rsmigrates to therustls-pki-typesPemObjectAPI (CertificateDer::pem_file_iter/PrivateKeyDer::from_pem_file, behind thestdfeature). Also allowApache-2.0 WITH LLVM-exceptionindeny.toml(pulled in viapsm/stackerundersqlparser; Apache-2.0-compatible).Testing
cargo deny check→ advisories/bans/licenses/sources all ok.cargo build,cargo clippy --all-targets -- -D warnings,cargo fmt --check, and the full test suite (incl. the TLS keypair tests, against Trino 479 on SDP) all pass.Note
#7 (binary result-format fix) is stacked on this branch — it needs these same advisory fixes to pass CI. Merge this first; #7 will retarget to
mainautomatically.🤖 Generated with Claude Code