dependency tree is vulnarable to RUSTSEC-2023-0052

[sassman]

This relates to https://github.com/launchdarkly/rust-eventsource-client/issues/55 the issue is transitive and goes like:

the problematic package is webpki@0.21.4 the tree goes as:

    = webpki v0.21.4
      ├── hyper-rustls v0.22.1
      │   └── eventsource-client v0.11.0
      │       └── launchdarkly-server-sdk v1.1.3

The whole log from cargo deny check advisories

538 │ webpki 0.21.4 registry+https://github.com/rust-lang/crates.io-index
    │ ------------------------------------------------------------------- security vulnerability detected
    │
    = ID: RUSTSEC-2023-0052
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0052
    = When this crate is given a pathological certificate chain to validate, it will
      spend CPU time exponential with the number of candidate certificates at each
      step of path building.

      Both TLS clients and TLS servers that accept client certificate are affected.

      This was previously reported in
      <https://github.com/briansmith/webpki/issues/69> and re-reported recently
      by Luke Malinowski.

      `rustls-webpki` is a fork of this crate which contains a fix for this issue
      and is actively maintained.
    = Solution: No safe upgrade is available!
    = webpki v0.21.4
      ├── hyper-rustls v0.22.1
      │   └── eventsource-client v0.11.0
      │       └── launchdarkly-server-sdk v1.1.3

[cwaldren-ld]

Hi @sassman , answered here.

[keelerm84]

v2 has an updated version of the hyper-rustls library so this vulnerability should be addressed.