Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump secp256k1 to v0.24.2 #1528

Merged
merged 1 commit into from
Dec 7, 2022
Merged

Bump secp256k1 to v0.24.2 #1528

merged 1 commit into from
Dec 7, 2022

Conversation

HCastano
Copy link
Contributor

@HCastano HCastano commented Dec 7, 2022

Versions >= 0.24.0 have a soundness bug, so we need to ensure people
are using >= 0.24.2

See here for more: rustsec/advisory-db#1480

@HCastano
Bump secp256k1 to v0.24.2
be19620 
Versions `>= 0.24.0` have a soundness bug, so we need to ensure people
are using `>= 0.24.2`

See here for more: rustsec/advisory-db#1480
@codecov-commenter
Copy link

Codecov Report

Merging #1528 (be19620) into master (bf2de8f) will decrease coverage by 0.06%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #1528      +/-   ##
==========================================
- Coverage   71.67%   71.61%   -0.07%     
==========================================
  Files         204      204              
  Lines        6320     6320              
==========================================
- Hits         4530     4526       -4     
- Misses       1790     1794       +4
Impacted Files Coverage Δ
crates/allocator/src/bump.rs 88.23% <0.00%> (-1.69%) ⬇️
crates/metadata/src/layout/mod.rs 75.83% <0.00%> (-1.67%) ⬇️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@HCastano HCastano merged commit 800cd72 into master Dec 7, 2022
@HCastano HCastano deleted the hc-bump-secp256k1 branch December 7, 2022 17:05
@Kixunil
Copy link

Kixunil commented Dec 7, 2022

Out of curiosity, how did you find out so fast? RustSec wasn't even touched by the maintainers not to mention merging.

@HCastano
Copy link
Contributor Author

HCastano commented Dec 7, 2022

@Kixunil haha, mostly a coincidence.

I was checking the installation of a new cargo-contract release which we published ~12 hours ago, and during that I saw a warning that [email protected] had been yanked.

❯ cargo install cargo-contract --force --version 2.0.0-beta.1 --locked
    Updating crates.io index
  Installing cargo-contract v2.0.0-beta.1
warning: package `secp256k1 v0.24.1` in Cargo.lock is yanked in registry `crates-io`, consider running without --locked

Started digging as to why and landed on that PR

@Kixunil
Copy link

Kixunil commented Dec 7, 2022

Oh, wow, that wasn't that much of a coincidence then since we purposely yanked it to cause this warning. Happy it worked! 😄

@Kixunil Kixunil mentioned this pull request Dec 7, 2022
Closed
HCastano added a commit that referenced this pull request Jan 23, 2023
@HCastano
Bump secp256k1 to v0.24.2 (#1528)
0144e2d 
Versions `>= 0.24.0` have a soundness bug, so we need to ensure people
are using `>= 0.24.2`

See here for more: rustsec/advisory-db#1480
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ascjones ascjones ascjones approved these changes

@cmichi cmichi Awaiting requested review from cmichi cmichi is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@HCastano @codecov-commenter @Kixunil @ascjones