Among other changes, this release adds a requirement across all crates for multihash>= v0.11.3. Rust-libp2p versions in combination with multihash< v0.11.3 are vulnerable to DoS attacks. Given that e.g. PeerId::from_bytes is called with unsanitized data from possibly untrusted sources this call can panic with multihash< v0.11.3see RustSec for details.
In case you run libp2p in untrusted environments please either (a) update to libp2pv0.30.0 or (b) make sure to run with multihash>=v0.11.3 via your downstream Cargo.lock file.
As always all other contained changes are listed in our CHANGELOG.md.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
Bumps libp2p from 0.29.1 to 0.34.0.
Release notes
Sourced from libp2p's releases.
Changelog
Sourced from libp2p's changelog.
Commits
9aaa624
protocols/gossipsub/Cargo.toml: Fix feature name typodb02cfa
*: Prepare v0.34.0 release (#1918)a10f4e2
*: Update to tokio v1.0.1 (#1919)a223e4b
[websocket] Switch async-tls to futures-rustls (#1889)477f7ae
*: Update to prost-build v0.7 (#1917)7367927
Update uint requirement from 0.8 to 0.9 (#1915)ec0f8a3
[tcp] Port-reuse, async-io, if-watch (#1887)c98b9ef
*: Switch futures_codec to asynchronous-codec (#1908)aa2547e
Prepare parity-multiaddr-0.10.1eeaffd3
Update onion_addr.rs (#1912)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually