fix: bump `h2` version to patched one, while reqwest has not been

bitcoindevkit / rust-esplora-client

Bitcoin Esplora API client library. Supports plaintext, TLS and Onion servers. Blocking or async.

MIT License

28 stars 44 forks source link

fix: bump `h2` version to patched one, while reqwest has not been #72

Closed oleonardolima closed 7 months ago

oleonardolima commented 7 months ago

fix: bump h2 version to patched one, while reqwest has not been

check: https://rustsec.org/advisories/RUSTSEC-2024-0003

oleonardolima commented 7 months ago

@notmandatory @vladimirfomene As we don't have the Cargo.lock file on the repo, I wasn't sure about the best way to update/bump it.

notmandatory commented 7 months ago

Can we bump the dependency that brings in h2 to get a patched version rather than just bumping h2?

oleonardolima commented 7 months ago

Can we bump the dependency that brings in h2 to get a patched version rather than just bumping h2?

@notmandatory Actually we can close this PR, I did deeper research, and the request crate does have a specific h2 version (they have ^0.3.14), and neither it's being pinned nor are we providing a Cargo.lock file, so it's fine as it is.