tikv
Update the protobuf dependency
I have realized that raft-rs relies on a very old version of protobuf, which has a series of dependencies vulnerabilities (found by running cargo deny). It would be great to update the protobuf dependency to the latest.
Welcome @jorgeantonio21! It looks like this is your first issue to tikv/raft-rs 🎉
![ti-chi-bot[bot] avatar](https://avatars.githubusercontent.com/in/214286?v=4 "Published by a pub.dev verified publisher"){kind=small}
To be more precise, here is the output of running cargo audit:
% cargo audit
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 821 security advisories (from /Users/jorgeantonio/.cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (464 crate dependencies)
Crate: protobuf
Version: 2.28.0
Title: Crash due to uncontrolled recursion in protobuf crate
Date: 2024-12-12
ID: RUSTSEC-2024-0437
URL: https://rustsec.org/advisories/RUSTSEC-2024-0437
Solution: Upgrade to >=3.7.2
Dependency tree:
protobuf 2.28.0
├── zippy 0.1.0
├── raft-proto 0.7.0
│ └── raft 0.7.0
│ └── zippy 0.1.0
└── raft 0.7.0
Crate: fxhash
Version: 0.2.1
Warning: unmaintained
Title: fxhash - no longer maintained
Date: 2025-09-05
ID: RUSTSEC-2025-0057
URL: https://rustsec.org/advisories/RUSTSEC-2025-0057
Dependency tree:
fxhash 0.2.1
├── tracing-timing 0.7.0
│ └── zippy 0.1.0
└── raft 0.7.0
└── zippy 0.1.0
error: 1 vulnerability found!
warning: 1 allowed warning found
@jorgeantonio21 Because protobuf 3.x is not compatible with 2.x, upgrading to 3.x is a breaking change. So we don't have a plan to migrate to v3.x. Maybe you can submit an issue in the repo rust-protobuf to ask a fix for v2.x.
I have requested this on the rust-protobuf repository:
https://github.com/stepancheg/rust-protobuf/issues/773
Just ofc, could there be some added value to updated protobuf ? Even though this is a breaking change, could be worth pursuing it ?