Skip to content

fix(security): improvements#1853

Merged
shamardy merged 15 commits intodevfrom
improvements
Jun 8, 2023
Merged

fix(security): improvements#1853
shamardy merged 15 commits intodevfrom
improvements

Conversation

@onur-ozkan
Copy link
Copy Markdown

@onur-ozkan onur-ozkan commented May 31, 2023
edited by shamardy
Loading

Fixes:

dependency updates:

  • bump librustzcash crates to k-1.3.0
  • use latest stable rmp-serde 0.14.3 -> v1.1.1 but rolled back to 0.14.3 in here fix(incompatible-dep): rollback rmp #1862 so need to review it in release PR.
  • bump blake2 to latest stable v0.10.4 -> v0.10.6
  • use latest stable metrics dependencies v0.19.0 -> v0.21.0
  • use latest stable hyper v0.14.11 -> v0.14.26
  • update rusqlite v0.24.2 -> 0.28.0
  • update env_logger v0.9.0 -> 0.9.3
  • remove getrandom
  • libm v0.2.7 added
  • mach2 v0.4.1 added instead of mach v0.3.2
  • portable-atomic v1.3.2 added
  • base64 v0.21.2 added
  • ahash 0.7.6 -> 0.8.3
  • block-modes 0.7.0 -> 0.8.1
  • fpe 0.3.13 -> 0.3.19
  • hashbrown 0.12.1 -> 0.13.2
  • hashlink 0.6.0 -> 0.8.2
  • httparse 1.6.0 -> 1.8.0
  • hyper 0.14.18 -> 0.14.26
  • libsqlite3-sys 0.20.1 -> 0.25.2
  • metrics-exporter-prometheus 0.10.0 -> 0.12.1
  • metrics-macros 0.5.1 -> 0.7.0
  • metrics-util 0.13.0 -> 0.15.0
  • num-traits 0.2.12 -> 0.2.15
  • ordered-float 2.10.0 -> 3.7.0
  • pkg-config 0.3.17 -> 0.3.27
  • quanta 0.9.3 -> 0.11.1
  • rmp 0.8.9 -> 0.8.11
  • sketches-ddsketch 0.1.3 -> 0.2.1
  • socket2 0.4.4 -> 0.4.9
  • termcolor 1.1.0 -> 1.2.0
  • version_check 0.9.2 -> 0.9.4

onur-ozkan added 9 commits May 30, 2023 19:04
@onur-ozkan
bump librustzcash crates to k-1.1.0
6f1856e 
Signed-off-by: ozkanonur <work@onurozkan.dev>
@onur-ozkan
use latest stable rpm-serde
dd915a9 
Signed-off-by: ozkanonur <work@onurozkan.dev>
@onur-ozkan
bump blake2 to latest stable
af51ab4 
Signed-off-by: ozkanonur <work@onurozkan.dev>
@onur-ozkan
use latest stable metrics dependencies
871deba 
Signed-off-by: ozkanonur <work@onurozkan.dev>
@onur-ozkan
fmt
91ba877 
Signed-off-by: ozkanonur <work@onurozkan.dev>
@onur-ozkan
use latest stable hyper
30d7cdd 
Signed-off-by: ozkanonur <work@onurozkan.dev>
@onur-ozkan
move sqlite implementation to much recent versions
e72e0eb 
Signed-off-by: ozkanonur <work@onurozkan.dev>
@onur-ozkan
update rusqlite and librustzcash
be26be1 
Signed-off-by: ozkanonur <work@onurozkan.dev>
@onur-ozkan
update env_logger
e495d23 
Signed-off-by: ozkanonur <work@onurozkan.dev>
@onur-ozkan onur-ozkan requested review from cipig, shamardy and smk762 May 31, 2023 15:16
@onur-ozkan
Copy link
Copy Markdown
Author

onur-ozkan commented May 31, 2023

It would be great if you can do some general testing to see if things goes well as expected @cipig @smk762

@onur-ozkan onur-ozkan changed the title security related improvements fix(security): security related improvements May 31, 2023
@onur-ozkan onur-ozkan changed the title fix(security): security related improvements fix(security): improvements May 31, 2023
@onur-ozkan

This comment was marked as resolved.

Sign in to view
@onur-ozkan
refactor rmp-serde usage
5fc6ce1 
Signed-off-by: ozkanonur <work@onurozkan.dev>
@onur-ozkan
update test
478fdcc 
Signed-off-by: ozkanonur <work@onurozkan.dev>
onur-ozkan added 2 commits June 1, 2023 15:14
@onur-ozkan
update tests
04ce199 
Signed-off-by: ozkanonur <work@onurozkan.dev>
@onur-ozkan
remove getrandom
2d61feb 
Signed-off-by: ozkanonur <work@onurozkan.dev>
shamardy
shamardy reviewed Jun 2, 2023
View reviewed changes
Copy link
Copy Markdown
Collaborator

@shamardy shamardy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fixes! LGTM but I have 2 questions. Will approve once they are answered :)
I added some comments about added deps too so that I can remember to add them to the commit message.

Comment thread Cargo.lock
]

[[package]]
name = "mach"
Copy link
Copy Markdown
Collaborator

@shamardy shamardy Jun 2, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mach is still in our deps tree here
https://github.com/KomodoPlatform/atomicDEX-API/blob/f8ada95e976cbebf5f680d13ec39d986a22e11d8/mm2src/adex_cli/Cargo.lock#L1831
Is there a reason for not removing it completely?

Copy link
Copy Markdown
Author

@onur-ozkan onur-ozkan Jun 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you sure? Seems this Cargo.lock file isn't in this branch

Copy link
Copy Markdown
Collaborator

@shamardy shamardy Jun 5, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's in this branch, but I just noticed that It's the adex-cli Cargo.lock file. Should we update it too in this PR?

Copy link
Copy Markdown
Author

@onur-ozkan onur-ozkan Jun 5, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not in the mm2 workspace, I think we shouldn't do it in this PR.

Copy link
Copy Markdown
Collaborator

@shamardy shamardy Jun 5, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we shouldn't do it in this PR.

Agreed

@rozhkovdmitrii I will leave this comment to you with the related advisory RUSTSEC-2020-0168 so that you can update it for cli in the future if you think it's important.

Comment thread Cargo.lock
Comment thread Cargo.lock
Comment thread Cargo.lock
Comment thread mm2src/coins/hd_wallet_storage/sqlite_storage.rs
@shamardy shamardy merged commit 2789a1b into dev Jun 8, 2023
@shamardy shamardy deleted the improvements branch June 8, 2023 23:04
@shamardy shamardy mentioned this pull request Jun 8, 2023
Merged
This was referenced Jun 16, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shamardy shamardy shamardy approved these changes

@cipig cipig Awaiting requested review from cipig

@smk762 smk762 Awaiting requested review from smk762

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@onur-ozkan @shamardy