aleph-node icon indicating copy to clipboard operation
aleph-node copied to clipboard
verified publisher icon Cardinal-Cryptography

[Blocked: `chrono` dependency in Substrate] A0-786: Run `cargo-audit` in pipelines

Open pmikolajczyk41 opened this issue 3 years ago • 1 comments

Description

We add a new workflow running cargo-audit. This required bumping some dependencies (see diff)

Vulnerabilities found:

  • https://rustsec.org/advisories/RUSTSEC-2021-0130
  • https://rustsec.org/advisories/RUSTSEC-2020-0071

The second one is hard to fix, since several Substrate packages depend on chrono, which depends on time = 0.1.x, which is no longer maintained and thus not recoverable from RUSTSEC-2020-0071. Related links:

  • https://github.com/chronotope/chrono/issues/499
  • https://github.com/advisories/GHSA-wcg3-cvx6-7396

Type of change

  • [ ] New feature (non-breaking change which adds functionality)

pmikolajczyk41 avatar May 25 '22 06:05 pmikolajczyk41

Please make sure the following happened

  • [ ] Appropriate tests created
  • [ ] Infrastructure updated accordingly
  • [ ] Updated existing documentation
  • [ ] New documentation created
  • [ ] Bump spec_version and transaction_version if relevant
  • [ ] Bump aleph-client version if relevant

github-actions[bot] avatar May 25 '22 06:05 github-actions[bot]