jameysharp opened PR #8278 from jameysharp:vet-violations
to bytecodealliance:main
:
When I tried to audit our previous exemption for zstd, I found two buffer overruns which were reachable from safe Rust, although not reachable from Wasmtime. I got them fixed upstream but didn't update our cargo-vet audits to reflect the issue with the older versions.
Alex updated our dependencies to pull in the fixed versions in #7870, and this PR notes for the benefit of anyone importing the Bytecode Alliance audit set that older versions should not be used.
jameysharp requested alexcrichton for a review on PR #8278.
jameysharp requested wasmtime-default-reviewers for a review on PR #8278.
jameysharp commented on PR #8278:
I'm confused by the CI failure here. I ran
cargo vet
locally and, although it complained about the newwasmtime-slab
crate not having anaudit-as-crates-io
entry, it didn't complain about my actual changes. However I do get the same errors as in CI if I usedcargo vet --locked
; maybe the audit-as-crates-io thing masked the issue.
alexcrichton submitted PR review:
I personally get pretty confused with the interfactions of our configuration and new crates we add. I think it's an unfortunate interaction by how when a new crate is added it's not published on crates.io but then later on once it gets published we need new configuration, but only after it's later been published. Or... something like that? I've never bottomed it out to fully understand what's happening here, I tend to just throw things at the wall and see what sticks.
alexcrichton commented on PR #8278:
You may need to remove
~/.cache/cargo-vet
, I just did that to resolve a difference I was seeing on CI as well
jameysharp updated PR #8278.
Last updated: Dec 23 2024 at 12:05 UTC