Open uncomfyhalomacro opened 1 year ago
Thanks for mentioning this.
I am not sure if this issue affects Tectonic in practice. We only use hyper
as a server in the test suite, where the version requirement in the toplevel Cargo.toml
is only for version 0.12 (which still lacks this HTTP/2 max_header_list_size
parameter).
We use hyper
as a client in the main program through the reqwest
library; the current version in the lockfile is 0.14.23, which contains the new API associated with this report. I don't know if reqwest
does anything with this API. Based on the discussion in https://github.com/hyperium/hyper/issues/2826, it sounds as if Tectonic's current behavior should not pose any problems.
That being said, it would not hurt to update the hyper
dependency in the test suite to stay in sync with newer versions and potentially avoid some automated security reports.
I agree that it's just the crate and not tectonic. I opened this for compliance and to help remove the bug report in bugzilla.
Thanks for the response though!
Well, I want to make sure that we are on top of any security concerns even if they're formalities. Please let me know if we can take any steps to keep things tidy here.
Source: https://bugzilla.opensuse.org/show_bug.cgi?id=1208561 Related bugzilla report: https://bugzilla.opensuse.org/show_bug.cgi?id=1208551