Kirp (Jan 21 2025 at 13:58): Kirp (Jan 21 2025 at 13:58):I was playing around with cargo audit and saw that the version of idna (dependency of url 2.3.1 used) used has a rustsec warning https://rustsec.org/advisories/RUSTSEC-2024-0421.html. I assume this is mostly just a deficiency of tooling but also relatively hard to bump packages with cargo vet (tho in this case as Mozilla has audited url 2.5.4, maybe alright?)
fitzgen (he/him) (Jan 21 2025 at 18:35):it seems like idna is a firefox crate, so probably is already trusted/vetted and shouldn't be a problem to bump
fitzgen (he/him) (Jan 21 2025 at 18:36):I'll give it a try
fitzgen (he/him) (Jan 21 2025 at 18:37):ah its pulled in by url
fitzgen (he/him) (Jan 21 2025 at 18:38):and updating that pulls in a few other things that need vets
fitzgen (he/him) (Jan 21 2025 at 18:53):https://github.com/bytecodealliance/wasmtime/pull/10065 updates url and also idna
Last updated: Jan 24 2025 at 00:11 UTC