Skip to content

fix(deps): upgrade reqwest 0.11 → 0.12 to fix rustls-webpki vulnerability#617

Merged
ErikBjare merged 1 commit into
ActivityWatch:masterfrom
0xbrayo:fix/reqwest-0.12-upgrade
Jun 13, 2026
Merged

fix(deps): upgrade reqwest 0.11 → 0.12 to fix rustls-webpki vulnerability#617
ErikBjare merged 1 commit into
ActivityWatch:masterfrom
0xbrayo:fix/reqwest-0.12-upgrade

Conversation

@0xbrayo

@0xbrayo 0xbrayo commented Jun 13, 2026

Copy link
Copy Markdown
Member

Summary

Fixes the rustls-webpki 0.101.7 vulnerability flagged by Dependabot (#592) by upgrading reqwest from 0.11 → 0.12.

reqwest 0.11.x pins rustls 0.21.x, which only allows the vulnerable rustls-webpki 0.101.7. rustls-webpki 0.101.x was never patched, so a [patch.crates-io] shim isn't possible. Upgrading to reqwest 0.12 pulls in rustls 0.23 and rustls-webpki 0.103.13, removing the vulnerable version from the dependency tree.

Changes

  • aw-client-rust/Cargo.toml: reqwest 0.11 → 0.12
  • aw-sync/Cargo.toml: reqwest 0.11 → 0.12
  • Cargo.lock: regenerated (rustls-webpki 0.101.7 → 0.103.13, rustls 0.21 → 0.23, hyper 0.14 → 1.x, etc.)

Notes

Verification

  • cargo build --workspace
  • cargo test -p aw-client-rust ✅ (all tests pass, including the async/blocking status-error tests)
  • cargo clippy -p aw-client-rust -p aw-sync ✅ (no new warnings)

Closes #592

reqwest 0.11.x pins rustls 0.21.x, which only allows the vulnerable
rustls-webpki 0.101.7 (flagged by Dependabot, GHSA for rustls-webpki).
Upgrading to reqwest 0.12 pulls in rustls 0.23 and rustls-webpki
0.103.13, removing the vulnerable version from the tree.

The rustls-tls-native-roots feature is kept (required for Android
builds). No source changes were needed; the reqwest API surface used
by aw-client-rust and aw-sync is unchanged between 0.11 and 0.12.

Closes ActivityWatch#592
@codecov

codecov Bot commented Jun 13, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.13%. Comparing base (656f3c9) to head (e5df56a).
⚠️ Report is 62 commits behind head on master.

Additional details and impacted files
@@            Coverage Diff             @@
##           master     #617      +/-   ##
==========================================
+ Coverage   70.81%   77.13%   +6.31%     
==========================================
  Files          51       62      +11     
  Lines        2916     4951    +2035     
==========================================
+ Hits         2065     3819    +1754     
- Misses        851     1132     +281     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@greptile-apps

greptile-apps Bot commented Jun 13, 2026

Copy link
Copy Markdown

Greptile Summary

This PR upgrades reqwest from 0.11 → 0.12 in aw-client-rust and aw-sync to eliminate the rustls-webpki 0.101.7 vulnerability (Dependabot #592). No source code changes were required because the reqwest API surface used by both crates is stable across the version boundary.

  • aw-client-rust/Cargo.toml: version pin changed to 0.12; all existing features (json, blocking, rustls-tls-native-roots, default-features = false) are preserved.
  • aw-sync/Cargo.toml: version pin changed to 0.12; feature set (json, blocking) and default-features behavior are unchanged from 0.11.
  • Cargo.lock: regenerated — rustls-webpki 0.101.7 is gone, replaced by 0.103.13; rustls moves from 0.21 → 0.23 and hyper from 0.14 → 1.x for the reqwest dependency chain.

Confidence Score: 5/5

Safe to merge — the change is a targeted dependency version bump with no source modifications, the vulnerable crate is confirmed removed from the lock file, and the PR author verified a clean build and full test run.

The change touches only two version strings in Cargo.toml files and the regenerated lock file. The reqwest API used by both crates (json serialization, blocking client) is backward-compatible across 0.11 → 0.12, the vulnerable rustls-webpki 0.101.7 is gone, and no logic is altered. The risk surface is limited to transitive dependency behavior, which the lock file pins exactly.

No files require special attention — all three changed files are straightforward dependency declarations or the auto-generated lock file.

Important Files Changed

Filename Overview
aw-client-rust/Cargo.toml Single-line reqwest version bump from 0.11 → 0.12; features unchanged (json, blocking, rustls-tls-native-roots, default-features = false).
aw-sync/Cargo.toml Single-line reqwest version bump from 0.11 → 0.12; uses default features (no default-features = false), same as before the PR.
Cargo.lock Regenerated lock file removes rustls-webpki 0.101.7, brings in rustls 0.23 / rustls-webpki 0.103.13 / hyper 1.x; both old and new hyper present due to other workspace crates.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[aw-client-rust / aw-sync] -->|reqwest 0.12| B[hyper 1.x]
    A -->|reqwest 0.12| C[rustls 0.23]
    C --> D[rustls-webpki 0.103.13 ✅]
    C --> E[rustls-native-certs]

    OLD_A[aw-client-rust / aw-sync] -->|reqwest 0.11 — removed| OLD_B[hyper 0.14]
    OLD_A -->|reqwest 0.11 — removed| OLD_C[rustls 0.21]
    OLD_C --> OLD_D[rustls-webpki 0.101.7 ❌ CVE]

    style D fill:#2d6a2d,color:#fff
    style OLD_D fill:#8b0000,color:#fff
    style OLD_A fill:#555,color:#ccc
    style OLD_B fill:#555,color:#ccc
    style OLD_C fill:#555,color:#ccc
Loading

Reviews (2): Last reviewed commit: "fix(deps): upgrade reqwest 0.11 -> 0.12 ..." | Re-trigger Greptile

Comment thread Cargo.lock
@0xbrayo

0xbrayo commented Jun 13, 2026

Copy link
Copy Markdown
Member Author

🤖 Claude, on behalf of @0xbrayo

@greptile review

@ErikBjare ErikBjare merged commit 6f6c64a into ActivityWatch:master Jun 13, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

sec: rustls-webpki 0.101.7 vulnerability — requires reqwest 0.11 → 0.12 upgrade

2 participants