fix(deps): upgrade reqwest 0.11 → 0.12 to fix rustls-webpki vulnerability#617
Conversation
reqwest 0.11.x pins rustls 0.21.x, which only allows the vulnerable rustls-webpki 0.101.7 (flagged by Dependabot, GHSA for rustls-webpki). Upgrading to reqwest 0.12 pulls in rustls 0.23 and rustls-webpki 0.103.13, removing the vulnerable version from the tree. The rustls-tls-native-roots feature is kept (required for Android builds). No source changes were needed; the reqwest API surface used by aw-client-rust and aw-sync is unchanged between 0.11 and 0.12. Closes ActivityWatch#592
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #617 +/- ##
==========================================
+ Coverage 70.81% 77.13% +6.31%
==========================================
Files 51 62 +11
Lines 2916 4951 +2035
==========================================
+ Hits 2065 3819 +1754
- Misses 851 1132 +281 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Greptile SummaryThis PR upgrades
Confidence Score: 5/5Safe to merge — the change is a targeted dependency version bump with no source modifications, the vulnerable crate is confirmed removed from the lock file, and the PR author verified a clean build and full test run. The change touches only two version strings in Cargo.toml files and the regenerated lock file. The reqwest API used by both crates (json serialization, blocking client) is backward-compatible across 0.11 → 0.12, the vulnerable rustls-webpki 0.101.7 is gone, and no logic is altered. The risk surface is limited to transitive dependency behavior, which the lock file pins exactly. No files require special attention — all three changed files are straightforward dependency declarations or the auto-generated lock file. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[aw-client-rust / aw-sync] -->|reqwest 0.12| B[hyper 1.x]
A -->|reqwest 0.12| C[rustls 0.23]
C --> D[rustls-webpki 0.103.13 ✅]
C --> E[rustls-native-certs]
OLD_A[aw-client-rust / aw-sync] -->|reqwest 0.11 — removed| OLD_B[hyper 0.14]
OLD_A -->|reqwest 0.11 — removed| OLD_C[rustls 0.21]
OLD_C --> OLD_D[rustls-webpki 0.101.7 ❌ CVE]
style D fill:#2d6a2d,color:#fff
style OLD_D fill:#8b0000,color:#fff
style OLD_A fill:#555,color:#ccc
style OLD_B fill:#555,color:#ccc
style OLD_C fill:#555,color:#ccc
Reviews (2): Last reviewed commit: "fix(deps): upgrade reqwest 0.11 -> 0.12 ..." | Re-trigger Greptile |
Summary
Fixes the
rustls-webpki 0.101.7vulnerability flagged by Dependabot (#592) by upgradingreqwestfrom 0.11 → 0.12.reqwest 0.11.xpinsrustls 0.21.x, which only allows the vulnerablerustls-webpki 0.101.7.rustls-webpki 0.101.xwas never patched, so a[patch.crates-io]shim isn't possible. Upgrading toreqwest 0.12pulls inrustls 0.23andrustls-webpki 0.103.13, removing the vulnerable version from the dependency tree.Changes
aw-client-rust/Cargo.toml:reqwest0.11 → 0.12aw-sync/Cargo.toml:reqwest0.11 → 0.12Cargo.lock: regenerated (rustls-webpki0.101.7 → 0.103.13,rustls0.21 → 0.23,hyper0.14 → 1.x, etc.)Notes
rustls-tls-native-rootsfeature is kept (required for Android builds, per discussion in sec: rustls-webpki 0.101.7 vulnerability — requires reqwest 0.11 → 0.12 upgrade #592).aw-client-rustandaw-syncis unchanged between 0.11 and 0.12.rustls-webpki 0.101.7is no longer present inCargo.lock; only0.103.13remains.Verification
cargo build --workspace✅cargo test -p aw-client-rust✅ (all tests pass, including the async/blocking status-error tests)cargo clippy -p aw-client-rust -p aw-sync✅ (no new warnings)Closes #592