fix: resolve security vulnerabilities and normalize tests for CI#44
Conversation
- Update aws-lc-sys, rustls-webpki, and rand to fix cargo audit findings - Replace unmaintained 'atty' with 'std::io::IsTerminal' in shipper-progress - Normalize path slashes and binary names in snapshots for Windows/CI stability - Pin dependencies in root Cargo.toml for reproducible builds
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 43 minutes and 22 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (4)
WalkthroughThe PR updates dependency versions across the workspace and individual crates ( Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request performs a significant dependency update across the workspace, including replacing the 'atty' crate with the standard library's 'IsTerminal' trait. It also introduces comprehensive path and output normalization helpers in the test suite to ensure snapshot stability across different platforms. Feedback includes addressing version mismatches for cryptographic libraries ('hmac' and 'sha2') to prevent duplicate dependencies and improving the executable search helper to include the '.com' extension on Windows for consistency.
| hmac = "0.13" | ||
| sha2 = "0.11" |
There was a problem hiding this comment.
The hmac and sha2 dependencies have been updated to 0.13 and 0.11 respectively in this crate, but other crates in the workspace (like shipper-webhook) are still pinned to the older versions (0.12 and 0.10). This causes duplicate versions of these cryptographic libraries to be included in the dependency graph, increasing binary size and potentially causing type mismatches if types from these crates are shared. Please update all crates in the workspace to use the same versions.
| fn find_executable_on_path(program: &str) -> Option<PathBuf> { | ||
| let path_var = std::env::var_os("PATH")?; | ||
|
|
||
| #[cfg(windows)] | ||
| let candidates = [ | ||
| format!("{program}.exe"), | ||
| format!("{program}.cmd"), | ||
| format!("{program}.bat"), | ||
| program.to_string(), | ||
| ]; | ||
| #[cfg(not(windows))] | ||
| let candidates = [program.to_string()]; | ||
|
|
||
| std::env::split_paths(&path_var) | ||
| .flat_map(|dir| candidates.iter().map(move |candidate| dir.join(candidate))) | ||
| .find(|candidate| candidate.is_file()) | ||
| } |
There was a problem hiding this comment.
The find_executable_on_path helper on Windows only checks for .exe, .cmd, and .bat extensions. However, the path_entry_has_cargo helper on line 235 also checks for .com. For consistency and better cross-platform reliability in tests, find_executable_on_path should also include .com in its candidate list.
| fn find_executable_on_path(program: &str) -> Option<PathBuf> { | |
| let path_var = std::env::var_os("PATH")?; | |
| #[cfg(windows)] | |
| let candidates = [ | |
| format!("{program}.exe"), | |
| format!("{program}.cmd"), | |
| format!("{program}.bat"), | |
| program.to_string(), | |
| ]; | |
| #[cfg(not(windows))] | |
| let candidates = [program.to_string()]; | |
| std::env::split_paths(&path_var) | |
| .flat_map(|dir| candidates.iter().map(move |candidate| dir.join(candidate))) | |
| .find(|candidate| candidate.is_file()) | |
| } | |
| fn find_executable_on_path(program: &str) -> Option<PathBuf> { | |
| let path_var = std::env::var_os("PATH")?; | |
| #[cfg(windows)] | |
| let candidates = [ | |
| format!("{program}.exe"), | |
| format!("{program}.cmd"), | |
| format!("{program}.bat"), | |
| format!("{program}.com"), | |
| program.to_string(), | |
| ]; | |
| #[cfg(not(windows))] | |
| let candidates = [program.to_string()]; | |
| std::env::split_paths(&path_var) | |
| .flat_map(|dir| candidates.iter().map(move |candidate| dir.join(candidate))) | |
| .find(|candidate| candidate.is_file()) | |
| } |
Summary of Changes
This Pull Request addresses several critical maintenance tasks to ensure the stability, security, and cross-platform reliability of the Shipper workspace.
Security Hardening
ustls-webpki, and
and to versions that resolve 6 vulnerabilities reported by cargo audit.
CI & Cross-Platform Stability
Status