Cargo audit failure due to tungstenite dependency

Question

Cargo audit failure due to tungstenite dependency

rageshkrishna opened this issue a year ago · 3 comments

I get the following high severity audit failure due to hudsucker's dependency on a vulnerable version of tungstenite:

Crate:     tungstenite
Version:   0.19.0
Title:     Tungstenite allows remote attackers to cause a denial of service
Date:      2023-09-25
ID:        RUSTSEC-2023-0065
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0065
Severity:  7.5 (high)
Solution:  Upgrade to >=0.20.1
Dependency tree:
tungstenite 0.19.0
├── tokio-tungstenite 0.19.0
│   ├── hyper-tungstenite 0.10.0
│   │   └── hudsucker 0.20.0
│   │       └── <my component>
│   └── hudsucker 0.20.0
└── hyper-tungstenite 0.10.0

error: 1 vulnerability found!

It seems like the latest release of hyper-tungstenite uses a fixed version of tungstenite, so it would be good if hudsucker could be updated to resolve the security issue.

Answer 1 · 2023-12-01T03:17:46.000Z

I'm not familiar with hudsucker's internals and how it uses tungstenite (or even what tungstenite does, to be honest) so it's not clear to me right now if there would be any issues with just bumping the version.

Answer 2 · 2023-12-01T04:46:10.000Z

I have just published v0.21.0, which should fix this.

Answer 3 · 2024-01-23T11:01:53.000Z

Thank you, @omjadas! I somehow completely missed the notification for this update.