-
Notifications
You must be signed in to change notification settings - Fork 744
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
In-tree libraries vulnerable to RUSTSEC-2023-0052 due to jsonrpsee #2
Comments
cc @niklasad1 |
The bump bot actually claims that this closes the problem for us paritytech/substrate#14812
|
There is an open PR for jsonrpsee bump paritytech/substrate#13992 but we have discovered a few regressions, it's on our radar. FWIW, it just the jsonrpsee client that is concerned by this issue and I think bumping the |
Sorry for missing the PRs, and thanks for clarifying it's the client code alone. 0.16 uses webpki, which doesn't have a bump available, not rustls-webpki hence the issue (though again, I do hear that's just for the client code which I'm unsure if it impacts this repo directly). |
It doesn't impact the substrate node (the RPC server) but there are some "tools" in the substrate repo that are using jsonrpsee client. |
I'll fix this issue on jsonrpsee v0.16 as well |
Much appreciated! Thank you for the patch release! |
Closed by the jsonrpsee patch release v0.16.3 |
1. Benchmark results are collected in a single struct. 2. The output of the results is prettified. 3. The result struct used to save the output as a yaml and store it in artifacts in a CI job. ``` $ cargo run -p polkadot-subsystem-bench --release -- test-sequence --path polkadot/node/subsystem-bench/examples/availability_read.yaml | tee output.txt $ cat output.txt polkadot/node/subsystem-bench/examples/availability_read.yaml #1 Network usage, KiB total per block Received from peers 510796.000 170265.333 Sent to peers 221.000 73.667 CPU usage, s total per block availability-recovery 38.671 12.890 Test environment 0.255 0.085 polkadot/node/subsystem-bench/examples/availability_read.yaml #2 Network usage, KiB total per block Received from peers 413633.000 137877.667 Sent to peers 353.000 117.667 CPU usage, s total per block availability-recovery 52.630 17.543 Test environment 0.271 0.090 polkadot/node/subsystem-bench/examples/availability_read.yaml #3 Network usage, KiB total per block Received from peers 424379.000 141459.667 Sent to peers 703.000 234.333 CPU usage, s total per block availability-recovery 51.128 17.043 Test environment 0.502 0.167 ``` ``` $ cargo run -p polkadot-subsystem-bench --release -- --ci test-sequence --path polkadot/node/subsystem-bench/examples/availability_read.yaml | tee output.txt $ cat output.txt - benchmark_name: 'polkadot/node/subsystem-bench/examples/availability_read.yaml #1' network: - resource: Received from peers total: 509011.0 per_block: 169670.33333333334 - resource: Sent to peers total: 220.0 per_block: 73.33333333333333 cpu: - resource: availability-recovery total: 31.845848445 per_block: 10.615282815 - resource: Test environment total: 0.23582828799999941 per_block: 0.07860942933333313 - benchmark_name: 'polkadot/node/subsystem-bench/examples/availability_read.yaml #2' network: - resource: Received from peers total: 411738.0 per_block: 137246.0 - resource: Sent to peers total: 351.0 per_block: 117.0 cpu: - resource: availability-recovery total: 18.93596025099999 per_block: 6.31198675033333 - resource: Test environment total: 0.2541994199999979 per_block: 0.0847331399999993 - benchmark_name: 'polkadot/node/subsystem-bench/examples/availability_read.yaml #3' network: - resource: Received from peers total: 424548.0 per_block: 141516.0 - resource: Sent to peers total: 703.0 per_block: 234.33333333333334 cpu: - resource: availability-recovery total: 16.54178526900001 per_block: 5.513928423000003 - resource: Test environment total: 0.43960946299999537 per_block: 0.14653648766666513 ``` --------- Co-authored-by: Andrei Sandu <[email protected]>
…ch#2) * A0-4022: Reduced multi block contract migration weight by 4 * Previous approach was a no-op
* Deploy rustdoc on GA * Update README.md
Is there an existing issue?
Experiencing problems? Have you tried our Stack Exchange first?
Description of bug
jsonrpsee (currently 0.16) pulls in a variety of legacy networking crates, including ones vulnerable to RUSTSEC-2023-0052. AFAICT, updating to 0.20 updates everything (or almost everything) in the dependency tree from webpki to rustls-webpki, resolving the RUSTSEC (and also modernizing the tree in generally).
I did try to perform the work locally, yet the amount of changes to the subscription API made me realize I could not do a proper job within a reasonable amount of time due to my unfamiliarity with the codebase in question.
Apologies if this isn't optimally filed.
Steps to reproduce
No response
The text was updated successfully, but these errors were encountered: