Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update RustCrypto/signature crates #532

Merged
merged 2 commits into from
Sep 25, 2023
Merged

Update RustCrypto/signature crates #532

merged 2 commits into from
Sep 25, 2023

Conversation

sbihel
Copy link
Member

@sbihel sbihel commented Sep 21, 2023

Mostly to upgrade ed25519-dalek which has a vulnerability.

The impact should be minimal, but does include empty error messages when recovered addresses don't match. This was to avoid breaking changes, and it should be addressed after the upcoming major refactor.

async-trait = "0.1"
thiserror = "1.0"
multibase = "0.8"
k256 = { version = "0.11", optional = true, features = ["ecdsa"] }
p256 = { version = "0.11", optional = true, features = ["ecdsa"] }
k256 = { version = "0.13.1", optional = true, features = ["ecdsa"] }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to pin to a specific minor version? I would think that with something like RustCrypto that actually follows semver that we'd want the minor field to float in case they find some bug that doesn't require an API change.

If we're willing to take the extra maintenance burden in exchange for a more curated set of dependencies, I'm down for that. I just want to make sure that's the trade off we explicitly want to make.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I usually always specify minor and patch, with tools like dependabot I think it's not that much work for better stability. But in this case, being v0, the minor is actually the major

Mostly to upgrade ed25519-dalek which has a vulnerability.

The impact should be minimal, but does include empty error messages when
recovered addresses don't match. This was to avoid breaking changes, and
it should be addressed after the upcoming major refactor.
@sbihel sbihel merged commit 6d94132 into main Sep 25, 2023
3 checks passed
@sbihel sbihel deleted the fix/update-rustcrypto branch September 25, 2023 14:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants