deps(tls): switch from webpki to rustls-webpki

[MOZGIII]

Description

A simple dependency update to make the CVE detector happy.
Continuation of #4378.

Notes & open questions

This is a part of the work to make https://rustsec.org/advisories/RUSTSEC-2023-0052.html alerts go away.

Change checklist

• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• A changelog entry has been made in the appropriate crates

[mxinden]

Thank you for the help here.

I am not deeply familiar with webpki and rustls-webpki history. In case there are any resources you can point me to, that would be much appreciated.

[MOZGIII]

Thank you for the help here.

I am not deeply familiar with webpki and rustls-webpki history. In case there are any resources you can point me to, that would be much appreciated.

I'm not that familiar myself, but the report at https://rustsec.org/advisories/RUSTSEC%2D2023%2D0052.html suggests that it is a maintained version, while from the looks of it the original webpki is indeed unmaintained - last commit was 2 years ago.

See https://github.com/rustls/webpki and https://github.com/briansmith/webpki.

[MOZGIII]

I think this is ready to merge now; I'm afraid this is the last low-hanging fruit here, and the rest requires going to webrtc and other upstreams and fixing it there.

It's unlikely I'll be going that myself in the near future, but hey there are plenty of other people who might be willing to fix it there, so I suggest just keeping an eye on the rest of the deps for now and waiting a bit to see if maybe they ship a new, fixed version.

[thomaseizinger]

Thanks! :)

Approvals have been dismissed because the PR was updated after the send-it label was applied.