Skip to content

v2.3: Ignore security advisory from tracing-subscriber dep (backport of #7846)#7858

Merged
t-nelson merged 1 commit intov2.3from
mergify/bp/v2.3/pr-7846
Sep 3, 2025
Merged

v2.3: Ignore security advisory from tracing-subscriber dep (backport of #7846)#7858
t-nelson merged 1 commit intov2.3from
mergify/bp/v2.3/pr-7846

Conversation

@mergify
Copy link
Copy Markdown

@mergify mergify Bot commented Sep 3, 2025

Problem

Crate:     tracing-subscriber
Version:   0.3.7
Title:     Logging user input may result in poisoning logs with ANSI escape sequences
Date:      2025-08-29
ID:        RUSTSEC-2025-0055
URL:       https://rustsec.org/advisories/RUSTSEC-2025-0055
Solution:  Upgrade to >=0.3.20
Dependency tree:
tracing-subscriber 0.3.7

Summary of Changes

Ignore the advisory given the callers of this dependency are not production code:

cargo tree --invert tracing-subscriber --depth 3
tracing-subscriber v0.3.20
└── tracing-opentelemetry v0.17.2
    └── tarpc v0.29.0
        ├── solana-banks-client v3.1.0 (/Users/steviez/src/solana/banks-client)
        ├── solana-banks-interface v3.1.0 (/Users/steviez/src/solana/banks-interface)
        └── solana-banks-server v3.1.0 (/Users/steviez/src/solana/banks-server)
```<hr>This is an automatic backport of pull request #7846 done by [Mergify](https://mergify.com).

@steviez @mergify
v3.0: Ignore security advisory from tracing-subscriber dep (#7846)
41c40b0 
The only users of this dependency are crates that support test harnesses
such as solana-program-test; this is not used in production code

(cherry picked from commit ddca2f9)
@mergify mergify Bot assigned steviez Sep 3, 2025
@mergify mergify Bot requested a review from a team as a code owner September 3, 2025 16:14
@steviez steviez changed the title v2.3: v3.0: Ignore security advisory from tracing-subscriber dep (backport of #7846) v2.3: Ignore security advisory from tracing-subscriber dep (backport of #7846) Sep 3, 2025
@t-nelson
Copy link
Copy Markdown

t-nelson commented Sep 3, 2025

can we drop the 3.0 from the commit title as well?

@steviez
Copy link
Copy Markdown

steviez commented Sep 3, 2025

can we drop the 3.0 from the commit title as well?

I was going to do it on merge through the GUI; I can git commit --amend if you'd prefer

@t-nelson
Copy link
Copy Markdown

t-nelson commented Sep 3, 2025

not sure how ci managed to break here

@steviez
Copy link
Copy Markdown

steviez commented Sep 3, 2025

not sure how ci managed to break here

I see you already retried a handful of times too ... always something

t-nelson
t-nelson approved these changes Sep 3, 2025
View reviewed changes
Copy link
Copy Markdown

@t-nelson t-nelson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pr is obviously correct and unrelated to ci failure. gonna merge on red

@t-nelson t-nelson merged commit b3ac317 into v2.3 Sep 3, 2025
17 of 19 checks passed
@t-nelson t-nelson deleted the mergify/bp/v2.3/pr-7846 branch September 3, 2025 22:31
@steviez
Copy link
Copy Markdown

steviez commented Sep 4, 2025

pr is obviously correct and unrelated to ci failure. gonna merge on red

Works for me but guess I should have done the git commit --amend after all 😆
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@t-nelson t-nelson t-nelson approved these changes

+1 more reviewer

@willhickey willhickey willhickey approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@steviez steviez

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@t-nelson @steviez @willhickey