fix: update actix-http to 3.12.1 to resolve GHSA-xhj4-vrgc-hr34#9981
Open
fix: update actix-http to 3.12.1 to resolve GHSA-xhj4-vrgc-hr34#9981
Conversation
Co-Authored-By: Oz <oz-agent@warp.dev>
Contributor
|
I'm starting a first review of this pull request. You can view the conversation on Warp. I completed the review and no human review was requested for this pull request. Comment Powered by Oz |
![oz-for-oss[bot]](https://avatars.githubusercontent.com/in/3450139?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Overview
This Cargo.lock-only PR updates actix-http from 3.11.0 to 3.12.1 to pick up the fix for GHSA-xhj4-vrgc-hr34, along with resolver-required transitive changes including prettyplease and rand/getrandom/WASI-related packages.
Concerns
- No blocking correctness or security concerns found in the annotated diff. New and updated dependencies are registry packages with checksums pinned in Cargo.lock; no source, configuration, authentication, secret-handling, or runtime input-handling logic changed.
Verdict
Found: 0 critical, 0 important, 0 suggestions
Approve
Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).
Powered by Oz
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Updates
actix-httpfrom 3.11.0 to 3.12.1 to resolve GHSA-xhj4-vrgc-hr34 — an HTTP/1.1 CL.TE Request Smuggling vulnerability.Dependabot alert: https://github.com/warpdotdev/warp/security/dependabot/3
What changed
actix-http: 3.11.0 → 3.12.1prettyplease: 0.2.15 → 0.2.37 (transitive, required to resolve dependency conflict)rand 0.10.1,getrandom 0.4.2,wasip3,wit-bindgenecosystem cratesThis is a Cargo.lock-only change — no source code modifications.
Why Dependabot couldn't fix this
Dependabot reported: "The latest possible version of actix-http that can be installed is 3.12.0. The earliest fixed version is 3.12.1."
The root cause:
actix-http3.12.1 bumped itsranddependency from^0.9to^0.10.1. The newrand 0.10.1transitively requiresgetrandom 0.4.0→wasip3→wit-bindgen 0.51.0→wit-bindgen-rust-macro 0.51.0→prettyplease ^0.2.20, which conflicted with the lockedprettyplease 0.2.15. Dependabot only updates one package at a time, so it couldn't resolve theprettypleaseconflict simultaneously.Fix:
cargo update -p actix-http --precise 3.12.1 -p prettyplease— updating both packages together resolves the conflict.Dependency relationship
actix-httpis a transitive dependency pulled in via:sentry 0.41.0→sentry-actix 0.41.0→actix-httpsentry-actix 0.41.0→actix-web 4.10.2→actix-httpVerification
cargo auditconfirms GHSA-xhj4-vrgc-hr34 no longer appears foractix-httpConversation: https://staging.warp.dev/conversation/76c240a3-d74e-4e2f-adf6-39f3dc80d0c8
Run: https://oz.staging.warp.dev/runs/019dee91-7d86-7a3d-a126-d0f792b56772
This PR was generated with Oz.