SOC2: Updates nitro-cli to v1.3.1 #472
Conversation
|
Is there a way we can split up these cargo.lock updates? |
|
@james-callahan unfortunately I don't think that's an option. There's a lot of updates in cargo.lock because nitro-cli is a crate with a lot of dependencies itself: https://github.com/aws/aws-nitro-enclaves-cli/blob/837e1146ea76e1e9e4f2d1ad3e35a60811152473/Cargo.toml#L9-L30 If we want to update this crate we have to update the transitive dependencies in our cargo.lock, no way around it I'm afraid. And I bet some of nitro-cli's dependencies themselves have many dependencies and so on and so forth. How deep down the rabbit hole should we go here? My proposal is to review https://github.com/aws/aws-nitro-enclaves-cli/compare/v1.2.2..v1.3.1 (just did it, looks reasonable to me, nothing malicious), and we can wait until we have better tooling to review all of the transitive dependency updates. It's impractical to do it manually right now. |
taylorjdawson
changed the title
There was a problem hiding this comment.
Using experimental review diff analysis tooling, already-trusted-in-rust-core-projects comparisons for versions, diff review and other steps, @lrvick and I were able to substantially reduce the amount of necessary review and manually go through all remaining dependency code changes.
I can therefore approve this PR and propose someone from @tkhq/qos-operators approves it to unblock the merge 👍
|
CC @r-n-o @jack-kearney as status update. |
|
@jack-kearney @lrvick can one of you formally approve this? Thanks! |
Summary & Motivation (Problem vs. Solution)
This PR addresses security vulnerabilities by updating key dependencies to their latest, patched versions, ensuring SOC2 compliance. Specifically this PR updates
nitro-clitov1.3.1.Vulnerable Package Updates
1.1.01.3.00.11.10.12.10.37.150.38.34Required Package Updates
1.2.21.3.1shlex,vmm-sys-util,rustixHow I Tested These Changes
makein rootPre merge check list