Skip to content

fix(compliance): bytes updated to 1.11.1#8857

Merged
aaronArinder merged 1 commit intodevfrom
aaron/fix-compliance-bytes
Feb 3, 2026
Merged

fix(compliance): bytes updated to 1.11.1#8857
aaronArinder merged 1 commit intodevfrom
aaron/fix-compliance-bytes

Conversation

@aaronArinder
Copy link
Copy Markdown
Contributor

@aaronArinder aaronArinder commented Feb 3, 2026

Checklist

Complete the checklist (and note appropriate exceptions) before the PR is marked ready-for-review.

  • PR description explains the motivation for the change and relevant context for reviewing
  • PR description links appropriate GitHub/Jira tickets (creating when necessary)
  • Changeset is included for user-facing changes
  • Changes are compatible1
  • Documentation2 completed
  • Performance impact assessed and acceptable
  • Metrics and logs are added3 and documented
  • Tests added and passing4
    • Unit tests
    • Integration tests
    • Manual tests, as necessary

Exceptions

Note any exceptions here

Notes

Footnotes

  1. It may be appropriate to bring upcoming changes to the attention of other (impacted) groups. Please endeavour to do this before seeking PR approval. The mechanism for doing this will vary considerably, so use your judgement as to how and when to do this.

  2. Configuration is an important part of many changes. Where applicable please try to document configuration examples.

  3. A lot of (if not most) features benefit from built-in observability and debug-level logs. Please read this guidance on metrics best-practices.

  4. Tick whichever testing boxes are applicable. If you are adding Manual Tests, please document the manual testing (extensively) in the Exceptions.

@apollo-librarian
Copy link
Copy Markdown
Contributor

apollo-librarian bot commented Feb 3, 2026
edited
Loading

✅ Docs preview has no changes

The preview was not built because there were no changes.

Build ID: 0c72981cc93ffeda40538c9a
Build Logs: View logs

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Feb 3, 2026

@aaronArinder, please consider creating a changeset entry in /.changesets/. These instructions describe the process and tooling.

@aaronArinder aaronArinder merged commit 56b7ea8 into dev Feb 3, 2026
15 checks passed
@aaronArinder aaronArinder deleted the aaron/fix-compliance-bytes branch February 3, 2026 18:10
the-gigi-apollo pushed a commit that referenced this pull request Feb 4, 2026
@aaronArinder @the-gigi
fix(compliance): bytes updated to 1.11.1 (#8857)
81f5595
abernix added a commit that referenced this pull request Mar 23, 2026
@abernix
fix(compliance): exempt RUSTSEC-2026-0049, bump bytes to 1.11.1
cf903bc 
Fixes the 1.x nightly compliance check which was failing on two
advisories.

RUSTSEC-2026-0049 (rustls-webpki CRL matching bug): the patched version
(>=0.103.10) requires the rustls 0.23.x ecosystem — a migration out of
scope for the 1.x LTS branch.  The CRL matching bug requires a
compromised trusted CA to exploit, and the router does not enable CRL
revocation checking, so this code path is not reachable in practice.
On dev this was resolved incidentally via the rustls 0.23.x upgrade
(bfbc625, #7554 and subsequent commits).

RUSTSEC-2026-0007 (bytes integer overflow): bumped bytes from 1.10.1 to
1.11.1, which is the patched version.  On dev this was resolved in
56b7ea8 (#8857).
@abernix abernix mentioned this pull request Mar 23, 2026
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@carodewig carodewig carodewig approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aaronArinder @carodewig