http-types
http-types copied to clipboard
http-rs
Update rand dependency because of RUSTSEC-2021-0023
There is an open rustsec issue (RUSTSEC-2021-0023) about a transitive dependency of http-types 2.12.0. On the main branch this seems to be fixed by migrating to fastrand but I think this might also warrant a maintenance release.
CI failures are caused by clippy, at least one looks like an actual bug that was already fixed on the main branch
I have a PR that fixes the lints which we can hopefully base this on top of: https://github.com/http-rs/http-types/pull/399
@Fishrock123 I don't see a merge conflict on this branch. Seems like it can be merged?
Rebased. There might be new clippy lints since the last update, let's see.
@nox it would help to open a PR fixing the broken clippies. They're not broken because of this PR, but they are blocking merge
@jhorstmann I've made a PR fixing the clippy lints and it got merged. Care to rebase this PR on top of current master? Thanks.
@nox did you mean cherry-pick instead? My idea here was to apply the change to the 2.x branch for a maintenance release. The master branch seems to have switched to a different crate for random numbers.
Looking at the rustsec advisory again it also seems that rand 0.7 / rand_core 0.5 was never affected. Maybe the advisory was updated, or the tool we use at work for scanning dependencies had wrong information.
An updated maintenance release would still be nice.
@nox did you mean cherry-pick instead? My idea here was to apply the change to the 2.x branch for a maintenance release. The master branch seems to have switched to a different crate for random numbers.
Yeah sorry, I just meant to tell you about the lint fixes so we can get this merged and released as some 2.y.z version.
I just realised that the lints were independently fixed, so it seems all we need is a rebase, @jhorstmann.