Skip to content

audit: Fix deps #7130

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 13, 2025
Merged

audit: Fix deps #7130

merged 3 commits into from
May 13, 2025

Conversation

Teebor-Choka
Copy link
Contributor

@Teebor-Choka Teebor-Choka commented May 13, 2025
edited
Loading

This pull request introduces several changes, primarily focused on replacing the http-types dependency with the http crate across multiple files, updating dependencies, and improving serialization handling. Below is a categorized summary of the most important changes:

Dependency Updates and Configuration:

  • Updated .cargo/audit.toml to remove older advisories and add new ones, including RUSTSEC-2024-0436 for the paste dependency and RUSTSEC-2025-0009/RUSTSEC-2025-0010 for the ring dependency.
  • Updated Cargo.toml to replace http-types with http and added serde_with for enhanced serialization support. Also added comments to clarify dependency audit status. [1] [2]

Migration from http-types to http:

  • Replaced http-types with the http crate in chain/rpc/src/client.rs, updating all references to Method and StatusCode to use http equivalents. This includes changes in function signatures, method implementations, and test cases. [1] [2] [3] [4] [5]
  • Updated HttpRequestError in chain/rpc/src/errors.rs to use http::StatusCode instead of http_types::StatusCode.

Serialization Enhancements:

  • Introduced serde_with for better serialization handling in SimpleJsonRpcRetryPolicy. Added annotations like #[serde_as] and #[serde_as(as = "Vec<serde_with::TryFromInto<u16>>")] to improve type safety and maintainability. [1] [2]

Code Simplification:

  • Simplified chain/rpc/src/lib.rs by removing unused imports from http-types and consolidating serde imports. Updated HttpRequestor trait methods to use http::Method instead of http_types::Method. [1] [2]

Minor Improvements:

  • Updated test cases in chain/rpc/src/client.rs to align with the migration to http by using http::StatusCode::TOO_MANY_REQUESTS and related constants. [1] [2]

These changes collectively improve dependency management, enhance serialization capabilities, and align the codebase with modern libraries for better maintainability.

@Teebor-Choka Teebor-Choka added this to the 3.0.0 milestone May 13, 2025
@Teebor-Choka Teebor-Choka self-assigned this May 13, 2025
@Teebor-Choka Teebor-Choka added the dependencies Pull requests that update a dependency file label May 13, 2025
@coderabbitai coderabbitai
Copy link
Contributor

coderabbitai bot commented May 13, 2025
edited
Loading

📝 Walkthrough

"""

Walkthrough

The changes update .cargo/audit.toml by expanding the RustSec advisory ignore list with new entries and annotations, and revise comments in Cargo.toml to clarify the status of certain dependencies regarding audit and update processes. The http-types dependency is replaced by http in multiple Cargo.toml files and source code, with all HTTP-related types and constants migrated accordingly. The SimpleJsonRpcRetryPolicy struct and HttpRequestError enum are updated to use http::StatusCode. The HttpRequestor trait's method parameter types are changed from http_types::Method to http::Method. A new dependency serde_with is added. No functional or dependency version changes are introduced.

Changes

File(s) Change Summary
.cargo/audit.toml Added five new RustSec advisory IDs to the ignore list, updated annotations, no config changes.
Cargo.toml, chain/rpc/Cargo.toml Replaced http-types dependency with http; added serde_with dependency; updated comments on ethers and hickory-resolver.
chain/rpc/src/client.rs Replaced all http_types imports and types with http equivalents, including Method and StatusCode; updated struct field type.
chain/rpc/src/errors.rs Changed HttpRequestError::HttpError variant to use http::StatusCode instead of http_types::StatusCode.
chain/rpc/src/lib.rs Changed HttpRequestor trait method parameter types from http_types::Method to http::Method; updated default method calls.

Possibly related PRs

Suggested labels

crate:chain-rpc
"""

Suggested reviewers

  • tolbrino
  • NumberFour8

Tip

⚡️ Faster reviews with caching
  • CodeRabbit now supports caching for code and dependencies, helping speed up reviews. This means quicker feedback, reduced wait times, and a smoother review experience overall. Cached data is encrypted and stored securely. This feature will be automatically enabled for all accounts on May 16th. To opt out, configure Review - Disable Cache at either the organization or repository level. If you prefer to disable all data retention across your organization, simply turn off the Data Retention setting under your Organization Settings.

Enjoy the performance boost—your workflow just got faster.

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 69ba5fd and 232b2d5.

📒 Files selected for processing (1)
  • Cargo.toml (2 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • Cargo.toml
⏰ Context from checks skipped due to timeout of 90000ms (8)
  • GitHub Check: tests-smoke (websocket_api)
  • GitHub Check: tests-unit-nightly
  • GitHub Check: tests-smart-contracts
  • GitHub Check: tests-unit
  • GitHub Check: zizmor
  • GitHub Check: hoprd / docker
  • GitHub Check: hopli / docker
  • GitHub Check: Linter

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@Teebor-Choka Teebor-Choka linked an issue May 13, 2025 that may be closed by this pull request
Fix the cargo audit results #7022
Closed
1 task
@Teebor-Choka Teebor-Choka marked this pull request as ready for review May 13, 2025 10:23
@Copilot Copilot AI review requested due to automatic review settings May 13, 2025 10:23
Copilot
Copilot AI reviewed May 13, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request updates dependency configurations to address security advisories and improve dependency management.

  • Updated comments in Cargo.toml to clarify dependency behavior (e.g., forced dependency 'ring' is ignored in audit).
  • Added new vulnerability IDs to the ignore list in .cargo/audit.toml to address known security advisories.

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
Cargo.toml Adjusted comments for dependencies to clarify dependency handling.
.cargo/audit.toml Added new vulnerability IDs and updated comments with status tags.

coderabbitai[bot]
coderabbitai bot reviewed May 13, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
.cargo/audit.toml (1)

7-11: Add annotation for ring-related advisories for consistency
The entries for RUSTSEC-2025-0009 and RUSTSEC-2025-0010 currently lack a bracketed note (e.g., [unmaintained] or [unfixed]) explaining why they're ignored. To align with the style used for other advisories and improve future clarity, append an annotation to those lines.

Apply this diff:

-"RUSTSEC-2025-0009", # 'ring' dependency in 'ethers-rs'
-"RUSTSEC-2025-0010", # 'ring' dependency in 'ethers-rs'
+"RUSTSEC-2025-0009", # 'ring' dependency in 'ethers-rs' [unmaintained]
+"RUSTSEC-2025-0010", # 'ring' dependency in 'ethers-rs' [unmaintained]
📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 05bba78 and 851789f.

⛔ Files ignored due to path filters (1)
  • Cargo.lock is excluded by !**/*.lock
📒 Files selected for processing (2)
  • .cargo/audit.toml (1 hunks)
  • Cargo.toml (2 hunks)
⏰ Context from checks skipped due to timeout of 90000ms (9)
  • GitHub Check: hopli / docker
  • GitHub Check: hoprd / docker
  • GitHub Check: Docs / Rust docs
  • GitHub Check: Add PR labels
  • GitHub Check: tests-smoke (websocket_api)
  • GitHub Check: tests-unit
  • GitHub Check: tests-unit-nightly
  • GitHub Check: Linter
  • GitHub Check: zizmor
🔇 Additional comments (2)
Cargo.toml (2)

91-91: Clarify audit rationale in dependency comment
The comment on the ethers dependency clearly explains why its forced ring dependency is ignored in the audit. This aligns with the ignore list in .cargo/audit.toml.

102-102: Approve renovate‐ignore note
The updated comment for hickory-resolver succinctly notes that it’s ignored in Renovate until libp2p-dns is updated. No further changes needed here.

@Teebor-Choka Teebor-Choka merged commit f7b7b1f into master May 13, 2025
38 of 41 checks passed
@Teebor-Choka Teebor-Choka deleted the kauki/deps/fix-audit branch May 13, 2025 11:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Copilot code review Copilot Copilot left review comments

@NumberFour8 NumberFour8 NumberFour8 approved these changes

Assignees

@Teebor-Choka Teebor-Choka

Labels
crate:hopr-chain-rpc dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
3.0.0
Development

Successfully merging this pull request may close these issues.

Fix the cargo audit results
2 participants
@Teebor-Choka @NumberFour8