search

ChrisMacNaughton / vault-rs

https://docs.rs/hashicorp_vault
61 stars 27 forks source link

Update reqwest dependency #45

Closed stephaneyfx closed 3 years ago

stephaneyfx commented 3 years ago

This addresses vulnerability RUSTSEC-2021-0020 reported by cargo-audit.

I have only updated to reqwest 0.10 and not 0.11 because the latter depends on tokio 1 and the async ecosystem hasn't fully migrated yet, so it seems useful to have a version supporting tokio 0.2. Maybe hashicorp_vault 1.2 could use tokio 0.2 and hashicorp_vault 1.3 could switch to tokio 1? -- Note that I haven't checked if a minor or major bump should be done; I'd think tokio is not exposed by this crate because of its use of the blocking reqwest client.

Thank you.

ChrisMacNaughton commented 3 years ago

This looks like a great change, in terms of version bumping, the reqwest::Response is currently exposed via the VaultResponse error. Even though that's the only place that I expect it's visible, I suspect it should get a major version bump so I think that I'll hold off on a release until https://github.com/ChrisMacNaughton/vault-rs/pull/44 lands as well.

stephaneyfx commented 3 years ago

Thank you for the quick merge and publication!