search

BiagioFesta / wtransport

Async-friendly WebTransport implementation in Rust
Apache License 2.0
467 stars 31 forks source link

deps: update to `quinn@0.11.5` (patched). #210

Closed finnbear closed 2 months ago

finnbear commented 2 months ago

Update to a version of quinn that enforces a version of quinn-proto that is patched against CVE-2024-45311.

BiagioFesta commented 2 months ago

This library (which is the general recommended way in rust) does not publish Cargo.lock.

This means the consumers of wtransport will get whatever quinn/quinn-proto (as all other deps) version is semver compatible.

In particular, from Cargo.toml, consumers of wtransport are going to use any quinn 0.11.x versions.

Nevertheless, I want to keep this CR and update the manifest (Cargo.toml) for maintenance purpose and keep it aligned with the current "live" versions if possible

As always, thank you for work on quinn and this library! :)

finnbear commented 2 months ago

This means the consumers of wtransport will get whatever quinn/quinn-proto (as all other deps) version is semver compatible.

See discussion here for why, while that is mostly true, is isn't always true.