Stream: git-wasmtime

Topic: wasmtime / issue #4837 Add some more audits for my own cr...


view this post on Zulip Wasmtime GitHub notifications bot (Aug 31 2022 at 21:14):

fitzgen commented on issue #4837:

cc @bholley

view this post on Zulip Wasmtime GitHub notifications bot (Aug 31 2022 at 21:22):

fitzgen commented on issue #4837:

Good catch, thanks.

We don't use peeking_take_while in Wasmtime so we don't have an exemption for it to remove.

I think maybe the reason that the arbitrary exemptions aren't being remove is that I audited the latest version but we use an older version in Cargo.lock?

view this post on Zulip Wasmtime GitHub notifications bot (Aug 31 2022 at 21:24):

fitzgen commented on issue #4837:

I think maybe the reason that the arbitrary exemptions aren't being remove is that I audited the latest version but we use an older version in Cargo.lock?

Yeah, I added audits for the earlier versions and the exemptions go away now.

view this post on Zulip Wasmtime GitHub notifications bot (Aug 31 2022 at 21:25):

fitzgen commented on issue #4837:

Yep, done.

view this post on Zulip Wasmtime GitHub notifications bot (Aug 31 2022 at 21:27):

bholley commented on issue #4837:

Thanks!

I think maybe the reason that the arbitrary exemptions aren't being remove is that I audited the latest version but we use an older version in Cargo.lock?

My general recommendation for this situation (which we've run into as well) is to add an audit both for the latest version as well as the older version in tree.

And yes this PR should cover the ones Firefox is using, though while you're at it you might consider some of the other crates you own that have download stats in the millions.


Last updated: Dec 23 2024 at 12:05 UTC