security: upgrade TLS stack (tonic 0.12) to clear rustls-webpki high alert#71
Open
jhamon wants to merge 3 commits into
Open
security: upgrade TLS stack (tonic 0.12) to clear rustls-webpki high alert#71jhamon wants to merge 3 commits into
jhamon wants to merge 3 commits into
Conversation
…3.13) Bumps tonic 0.11 -> 0.12 (and required prost 0.12 -> 0.13, tonic-build 0.11 -> 0.12) to move the whole TLS dependency tree onto rustls 0.23 / tokio-rustls 0.26, then advances rustls to 0.23.41 so rustls-webpki resolves to 0.103.13. Previously tonic 0.11 pinned tokio-rustls 0.25 -> rustls 0.22 -> rustls-webpki 0.102, so a lockfile-only bump could not reach webpki 0.103.13. Removing the rustls 0.22 path unblocks the update. Changes: - Cargo.toml: tonic 0.12, prost/prost-types 0.13, tonic-build 0.12 - codegen/proto_build: tonic/tonic-build 0.12; compile -> compile_protos - Regenerated src/protos with tonic-build 0.12 (Status::unknown, updated Service trait bounds, prost 0.13 attrs) - data.rs: ClientTlsConfig::default().with_native_roots() — tonic 0.12 no longer loads trust roots implicitly, so an empty root store would fail every TLS handshake with UnknownIssuer Verified: cargo build clean; 66/66 lib tests pass (with a dummy PINECONE_API_KEY for the mocked httpmock tests); all integration test targets compile. Cargo.lock now pins a single rustls-webpki 0.103.13. Live integration tests require PINECONE_API_KEY (not run here). Clears Dependabot alert #26 (rustls-webpki < 0.103.13, high). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…y PR) - Add #[allow(clippy::result_large_err)] to client() and default_client() - Remove unneeded return statement in src/utils/user_agent.rs - Add #[allow(clippy::derivable_impls)] before Default impls in 7 generated openapi model files Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The tonic 0.12 upgrade regenerated src/protos/mod.rs with formatting that rustfmt 1.9 rewrites. Apply cargo fmt to clear the failing Rustfmt CI check. Formatting-only; no semantic change. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Clears the last open high Dependabot alert on this repo that a lockfile bump could not: rustls-webpki < 0.103.13 (alert #26 — Denial of service via panic on malformed CRL BIT STRING). Follow-up from PIN-6 / PR #70.
Reaching webpki 0.103.13 required moving the whole TLS tree off rustls 0.22. tonic 0.11 pinned
tokio-rustls 0.25 -> rustls 0.22 -> rustls-webpki 0.102; that path is stuck on webpki 0.102 forever. Bumping tonic 0.11 -> 0.12 removes it, putting both the gRPC and reqwest paths on rustls 0.23, which then advances to a version using webpki 0.103.13.Changes
Cargo.toml:tonic0.11 → 0.12,prost/prost-types0.12 → 0.13 (required by tonic 0.12),tonic-build0.11 → 0.12. TLS features unchanged (tls,transport,tls-roots).codegen/proto_build:tonic/tonic-build→ 0.12;compile()→compile_protos()(0.11 method was deprecated).src/protos/with tonic-build 0.12 (Status::unknown, updatedServicetrait bounds, prost 0.13 attributes).src/pinecone/data.rs:ClientTlsConfig::default()→.default().with_native_roots(). Behavioral fix: tonic 0.12 no longer loads trust roots implicitly — an empty root store would fail every TLS handshake withUnknownIssuer.with_native_roots()matches thetls-rootsfeature.Cargo.lock: singlerustls-webpkiat 0.103.13;rustls0.23.41; rustls 0.22 / tokio-rustls 0.25 removed.Verification
cargo build— clean.cargo test --lib— 66/66 pass (with a dummyPINECONE_API_KEY; the 6 mocked httpmock tests only require a non-empty key).cargo test --no-run— all integration test targets compile.grep rustls-webpki Cargo.lock→ exactly one entry,0.103.13(≥ patched 0.103.13). Alert Move proto build script to separate binary #26 clears on merge.Acceptance (PIN-14)
rustls-webpki >= 0.103.13inCargo.lockCloses PIN-14.
🤖 Generated with Claude Code