Need to update yup-oauth2 version to pass cargo-audit

Question

Need to update yup-oauth2 version to pass cargo-audit

xd009642 opened this issue a year ago · 3 comments

https://rustsec.org/advisories/RUSTSEC-2023-0052

Crate:         webpki
Version:       0.22.0
Title:         webpki: CPU denial of service in certificate path building
Date:          2023-08-22
ID:            RUSTSEC-2023-0052
URL:           https://rustsec.org/advisories/RUSTSEC-2023-0052
Solution:      No safe upgrade is available!
Dependency tree: 
webpki 0.22.0
├── tokio-rustls 0.23.4
│   └── hyper-rustls 0.23.2
│       ├── yup-oauth2 8.1.1
│       │   └── google-apis-common 5.0.4
│       │       └── google-texttospeech1 5.0.2+20230118

I was looking at doing this myself and just PRing to save some time but I saw some comment about pinning yup-oauth2 to an earlier version because of not wanting to upgrade hyper-rustls and wasn't sure what the mentioned compatibility issue is...

Answer 1 · 2023-08-23T12:06:15.000Z

You are probably looking at an older version, as the one available here in-source is using the most recent versions.

However, publishing all these crates takes a while so it will take a little longer until it arrives on crates.io.
As an immediate workaround, please use the source code of the crate in this repository.

Closing as this is fixed, but please feel free to ping me here if something else is missing or if the new release doesn't show up within the next couple of days. Thanks.

Answer 2 · 2023-08-24T11:40:23.000Z

Just out of curiosity how does the release process work? Because I can see all the empty release commits and they seem to be going through and stopped around G yesterday. Not sure if it's automated or just some very tedious release work 🤔

Answer 3 · 2023-08-24T12:21:29.000Z

It's a mix of a tedious, rate-limited release and the 'empty commit issue' being something I chose to fix. Now it's back to normal and all the crates should be released by the end of today.