Among other changes, this release adds a requirement across all crates for multihash>= v0.11.3. Rust-libp2p versions in combination with multihash< v0.11.3 are vulnerable to DoS attacks. Given that e.g. PeerId::from_bytes is called with unsanitized data from possibly untrusted sources this call can panic with multihash< v0.11.3see RustSec for details.
In case you run libp2p in untrusted environments please either (a) update to libp2pv0.30.0 or (b) make sure to run with multihash>=v0.11.3 via your downstream Cargo.lock file.
As always all other contained changes are listed in our CHANGELOG.md.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
Bumps libp2p from 0.29.1 to 0.35.1.
Release notes
Sourced from libp2p's releases.
Changelog
Sourced from libp2p's changelog.
... (truncated)
Commits
c072cd2
Update to yamux-0.8.1 (#1959)cda7c35
Prepare v0.35 (#1957)26f6b96
*: Require at least if-watch v0.1.8 (#1956)6499e92
Make clippy "happy". (#1950)12557a3
swarm/behaviour: Document inject_connected called for first only (#1954)2816023
Bump styfle/cancel-workflow-action from 0.7.0 to 0.8.0 (#1955)639e5c6
Update unsigned-varint and asynchronous-codec (#1946)5ddc8d4
README.md: Add Forest to users list (#1953)40ce05f
protocols/request-response: Test is_pending_outbound (#1938)4d290c5
README: Remove dead-link badges (#1951)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually