Update `sc-authority-discovery` vulnerable dependency

paritytech / substrate

Substrate: The platform for blockchain innovators

Apache License 2.0

8.39k stars 2.65k forks source link

Update `sc-authority-discovery` vulnerable dependency #11007

Closed felixfaisal closed 2 years ago

felixfaisal commented 2 years ago

Currently, sc-authority-discovery makes use of libp2pv0.40 which has a dependency for lruv0.6.6 which has security issue. Refer to Bug Report

Recommendation Update dependency libp2p to version 0.41.0 or higher

Cargo audit output

Crate:         lru
Version:       0.6.6
Title:         Use after free in lru crate
Date:          2021-12-21
ID:            RUSTSEC-2021-0130
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0130
Solution:      Upgrade to >=0.7.1
Dependency tree: 
lru 0.6.6

bkchr commented 2 years ago

@kpp could you do this? Aka upgrading the libp2p version?

kpp commented 2 years ago

Yes