Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove unmaintained third-party safemem crate #22504

Closed
wants to merge 2 commits into from
Closed

Remove unmaintained third-party safemem crate #22504

wants to merge 2 commits into from

Conversation

rillian
Copy link
Contributor

@rillian rillian commented Mar 7, 2024
edited
Loading

Apply the proposed patch from upstream to address the cargo audit warning about safemem being unmaintained. There's only a single call into that crate, which is replaced by a call to std::slice::copy_within which performs similar panic-based bounds checks.

Resolves brave/brave-browser#36616

Submitter Checklist:

  • I confirm that no security/privacy review is needed and no other type of reviews are needed, or that I have requested them
  • There is a ticket for my issue
  • Used Github auto-closing keywords in the PR description above
  • Wrote a good PR/commit description
  • Squashed any review feedback or "fixup" commits before merge, so that history is a record of what happened in the repo, not your PR
  • Added appropriate labels (QA/Yes or QA/No; release-notes/include or release-notes/exclude; OS/...) to the associated issue
  • Checked the PR locally:
    • npm run test -- brave_browser_tests, npm run test -- brave_unit_tests wiki
    • npm run presubmit wiki, npm run gn_check, npm run tslint
  • Ran git rebase master (if needed)

Reviewer Checklist:

  • A security review is not needed, or a link to one is included in the PR description
  • New files have MPL-2.0 license header
  • Adequate test coverage exists to prevent regressions
  • Major classes, functions and non-trivial code blocks are well-commented
  • Changes in component dependencies are properly reflected in gn
  • Code follows the style guide
  • Test plan is specified in PR before merging

After-merge Checklist:

Test Plan:

@rillian rillian requested review from a team and bridiver as code owners March 7, 2024 22:11
@github-actions github-actions bot added the CI/run-audit-deps Check for known npm/cargo vulnerabilities (audit_deps) label Mar 7, 2024
@rillian rillian requested a review from kdenhartog March 7, 2024 22:16
rillian added 2 commits March 7, 2024 14:31
@rillian
lol_html: patch out unmaintained safemem crate
60a52ca 
Apply syphar's patch from cloudflare/lol-html#208
to address RUSTSEC-2023-0081 about `safemem` being unmaintained.

This uses `slice::copy_within`, added in Rust 1.37.0, instead, which
performs the same panic-based bounds checks. There should be no
behaviour change. The patch is against lol_html v1.2.0, but the code
hasn't changed since our v0.3.1.
@rillian
Remove unused safemem crate
f1a3fbd 
This is no longer necessary. It was used by lol_html but the use
has been replaced by newer `std` methods.
@rillian
Copy link
Contributor Author

rillian commented Mar 8, 2024

ci noplatform failure was brave/brave-browser#36615

After discussion, we've decided to ignore rather than patch, until we can update to a new upstream release including a fix.

@rillian rillian closed this Mar 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bridiver bridiver Awaiting requested review from bridiver bridiver is a code owner

@kdenhartog kdenhartog Awaiting requested review from kdenhartog

Assignees

@rillian rillian

Labels
CI/run-audit-deps Check for known npm/cargo vulnerabilities (audit_deps)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Audit finding: https://rustsec.org/advisories/RUSTSEC-2023-0081
1 participant
@rillian