Update dependencies (#1181)

2025-08-14 09:18:46 +02:00 · 2023-08-18 21:45:29 +01:00
parent 69a772d1ca
commit aa8e5f5c04
10 changed files with 1091 additions and 666 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@ -32,12 +32,15 @@ interim = { version = "0.1.0", features = ["chrono"] }
 itertools = "0.10.5"
 rand = { version = "0.8.5", features = ["std"] }
 semver = "1.0.14"
-serde = { version = "1.0.145", features = ["derive"] }
+# https://github.com/serde-rs/serde/issues/2538
+# I don't trust dtolnay with our user's builds. especially as we
+# have things like encryption keys
+serde = { version = "1.0.145, <=1.0.171", features = ["derive"] }
 serde_json = "1.0.99"
 tokio = { version = "1", features = ["full"] }
 uuid = { version = "1.3", features = ["v4", "serde"] }
 whoami = "1.1.2"
-typed-builder = "0.14.0"
+typed-builder = "0.15.0"
 pretty_assertions = "1.3.0"

 [workspace.dependencies.reqwest]
@ -46,5 +49,5 @@ features = ["json", "rustls-tls-native-roots"]
 default-features = false

 [workspace.dependencies.sqlx]
-version = "0.6"
+version = "0.7.1"
 features = ["runtime-tokio-rustls", "chrono", "postgres", "uuid"]
--- a/atuin-client/Cargo.toml
+++ b/atuin-client/Cargo.toml
@ -44,11 +44,11 @@ sql-builder = "3"
 lazy_static = "1"
 memchr = "2.5"
 rmp = { version = "0.8.11" }
-typed-builder = "0.14.0"
+typed-builder = { workspace = true }
 tokio = { workspace = true }
 semver = { workspace = true }
 futures = "0.3"
-xsalsa20poly1305 = "0.9.0"
+crypto_secretbox = "0.1.1"
 generic-array = { version = "0.14", features = ["serde"] }

 # encryption
--- a/atuin-client/src/database.rs
+++ b/atuin-client/src/database.rs
@ -166,7 +166,7 @@ impl Sqlite {
        .bind(h.session.as_str())
        .bind(h.hostname.as_str())
        .bind(h.deleted_at.map(|t|t.timestamp_nanos()))
-        .execute(tx)
+        .execute(&mut **tx)
        .await?;

        Ok(())
--- a/atuin-client/src/encryption.rs
+++ b/atuin-client/src/encryption.rs
@ -12,15 +12,15 @@ use std::{io::prelude::*, path::PathBuf};

 use base64::prelude::{Engine, BASE64_STANDARD};
 use chrono::{DateTime, Utc};
+pub use crypto_secretbox::Key;
+use crypto_secretbox::{
+    aead::{Nonce, OsRng},
+    AeadCore, AeadInPlace, KeyInit, XSalsa20Poly1305,
+};
 use eyre::{bail, ensure, eyre, Context, Result};
 use fs_err as fs;
 use rmp::{decode::Bytes, Marker};
 use serde::{Deserialize, Serialize};
-pub use xsalsa20poly1305::Key;
-use xsalsa20poly1305::{
-    aead::{Nonce, OsRng},
-    AeadInPlace, KeyInit, XSalsa20Poly1305,
-};

 use crate::{history::History, settings::Settings};

@ -240,7 +240,7 @@ fn error_report<E: std::fmt::Debug>(err: E) -> eyre::Report {

 #[cfg(test)]
 mod test {
-    use xsalsa20poly1305::{aead::OsRng, KeyInit, XSalsa20Poly1305};
+    use crypto_secretbox::{aead::OsRng, KeyInit, XSalsa20Poly1305};

    use crate::history::History;

--- a/atuin-client/src/kv.rs
+++ b/atuin-client/src/kv.rs
@ -218,8 +218,8 @@ impl KvStore {

 #[cfg(test)]
 mod tests {
+    use crypto_secretbox::{KeyInit, XSalsa20Poly1305};
    use rand::rngs::OsRng;
-    use xsalsa20poly1305::{KeyInit, XSalsa20Poly1305};

    use crate::record::sqlite_store::SqliteStore;

--- a/atuin-client/src/record/sqlite_store.rs
+++ b/atuin-client/src/record/sqlite_store.rs
@ -72,7 +72,7 @@ impl SqliteStore {
        .bind(r.version.as_str())
        .bind(r.data.data.as_str())
        .bind(r.data.content_encryption_key.as_str())
-        .execute(tx)
+        .execute(&mut **tx)
        .await?;

        Ok(())
--- a/atuin-client/src/sync.rs
+++ b/atuin-client/src/sync.rs
@ -6,7 +6,7 @@ use chrono::prelude::*;
 use eyre::Result;

 use atuin_common::api::AddHistoryRequest;
-use xsalsa20poly1305::Key;
+use crypto_secretbox::Key;

 use crate::{
    api_client,
--- a/atuin-server-postgres/src/lib.rs
+++ b/atuin-server-postgres/src/lib.rs
@ -247,7 +247,7 @@ impl Database for Postgres {
            .bind(hostname)
            .bind(i.timestamp)
            .bind(data)
-            .execute(&mut tx)
+            .execute(&mut *tx)
            .await
            .map_err(fix_error)?;
        }
@ -375,7 +375,7 @@ impl Database for Postgres {
            .bind(&i.data.data)
            .bind(&i.data.content_encryption_key)
            .bind(user.id)
-            .execute(&mut tx)
+            .execute(&mut *tx)
            .await
            .map_err(fix_error)?;
        }
--- a/deny.toml
+++ b/deny.toml
@ -0,0 +1,105 @@
+# This template contains all of the possible sections and their default values
+
+# Note that all fields that take a lint level have these possible values:
+# * deny - An error will be produced and the check will fail
+# * warn - A warning will be produced, but the check will not fail
+# * allow - No warning or error will be produced, though in some cases a note
+# will be
+
+# The values provided in this template are the default values that will be used
+# when any section or field is not specified in your own configuration
+
+# Root options
+
+targets = []
+all-features = true
+no-default-features = false
+
+# This section is considered when running `cargo deny check advisories`
+# More documentation for the advisories section can be found here:
+# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html
+[advisories]
+db-path = "~/.cargo/advisory-db"
+db-urls = ["https://github.com/rustsec/advisory-db"]
+vulnerability = "deny"
+unmaintained = "warn"
+yanked = "warn"
+notice = "warn"
+ignore = [
+    # time 0.1 - code path not taken
+    "RUSTSEC-2020-0071",
+    # potential to misuse ed25519-dalek 1.0
+    # used by rusty-paseto. not in a vulnerable way
+    # and we don't even use paseto public key crypto so we don't use this
+    "RUSTSEC-2022-0093",
+    # DoS with untrusted input. Only runs on the client so not a concern
+    "RUSTSEC-2021-0041",
+]
+
+# This section is considered when running `cargo deny check licenses`
+# More documentation for the licenses section can be found here:
+# https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html
+[licenses]
+unlicensed = "deny"
+allow = [
+    "Apache-2.0",
+    "BSD-3-Clause",
+    "ISC",
+    "MIT",
+    "MPL-2.0",
+    "OpenSSL",
+    "Unicode-DFS-2016",
+]
+deny = []
+copyleft = "warn"
+allow-osi-fsf-free = "neither"
+default = "deny"
+confidence-threshold = 0.8
+exceptions = []
+
+# Some crates don't have (easily) machine readable licensing information,
+# adding a clarification entry for it allows you to manually specify the
+# licensing information
+[[licenses.clarify]]
+name = "ring"
+version = "*"
+expression = "MIT AND ISC AND OpenSSL"
+license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]
+
+# This section is considered when running `cargo deny check bans`.
+# More documentation about the 'bans' section can be found here:
+# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html
+[bans]
+multiple-versions = "allow"
+wildcards = "warn"
+highlight = "all"
+workspace-default-features = "allow"
+external-default-features = "allow"
+allow = []
+deny = []
+skip = []
+skip-tree = []
+
+# This section is considered when running `cargo deny check sources`.
+# More documentation about the 'sources' section can be found here:
+# https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html
+[sources]
+# Lint level for what to happen when a crate from a crate registry that is not
+# in the allow list is encountered
+unknown-registry = "warn"
+# Lint level for what to happen when a crate from a git repository that is not
+# in the allow list is encountered
+unknown-git = "warn"
+# List of URLs for allowed crate registries. Defaults to the crates.io index
+# if not specified. If it is specified but empty, no registries are allowed.
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+# List of URLs for allowed Git repositories
+allow-git = []
+
+[sources.allow-org]
+# 1 or more github.com organizations to allow git sources for
+github = []
+# 1 or more gitlab.com organizations to allow git sources for
+gitlab = []
+# 1 or more bitbucket.org organizations to allow git sources for
+bitbucket = []