replace hyper v0.10 with ureq
#13
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
`hyper` v0.10 is extremely outdated, the current release is v1.6. this old version pulls in vulnerable dependencies (incl. `hyper` v0.10 itself). rather than upgrading to `hyper` v1.6 i opted to replace it with `ureq` since this crate here is not `async` and `hyper` v1 is completely `async`. due to the very limited amount of features needed from `hyper` (just executing HTTP POST requests) it can instead be replaced with the much simpler `ureq` crate. i initially opted for `reqwest`, however `reqwest` is primarily `async` (and uses `hyper` underneath). while it offers a `blocking` layer this causes major issues when integrating it further up the stack in an `async` context as also stated by the [`reqwest::blocking` docs]. this is a breaking change for consumers since the URLs can now just be passed as strings rather than having to call `.parse()?` on the string. note that this is similar to, but not the same as, adnanademovic#8 and adnanademovic#11. fixes adnanademovic#9 [`reqwest::blocking` docs]: https://docs.rs/reqwest/latest/reqwest/blocking/
code changes done using `cargo fix --edition`
Closed
rursprung
added a commit
to rursprung/rosrust
that referenced
this pull request
May 29, 2025
this updates to the latest `xml-rpc` version. note that at the moment this does not yet build since it hasn't been released yet. this requires adnanademovic/xml-rpc-rs#13 to be merged & released first. for the time being you can use this by using `[patch.crates-io]` in your `Cargo.toml` and overwrite both `rosrust` and `xml-rpc`. this update is needed to resolve various security vulnerabilities coming from outdated versions of `hyper` which are being pulled in via `xml-rpc`. with this, `cargo-audit` is happy again.
|
@adnanademovic: it'd be great if you could review & release this (+ the matching rosrust PR)! otherwise it'd be great if you could clarify the maintenance status of these two crates (marking them as unmaintained in the rustsec advisory DB and/or offering them up for transfer to someone interested in maintaining them longer-term (i'm not offering myself for this right now as my use of ROS 1 is only temporary)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
hyperv0.10 is extremely outdated, the current release is v1.6. this old version pulls in vulnerable dependencies (incl.hyperv0.10 itself).rather than upgrading to
hyperv1.6 i opted to replace it withureqsince this crate here is notasyncandhyperv1 is completelyasync. due to the very limited amount of features needed fromhyper(just executing HTTP POST requests) it can instead be replaced with the much simplerureqcrate.i initially opted for
reqwest, howeverreqwestis primarilyasync(and useshyperunderneath). while it offers ablockinglayer this causes major issues when integrating it further up the stack in anasynccontext as also stated by thereqwest::blockingdocs.this is a breaking change for consumers since the URLs can now just be passed as strings rather than having to call
.parse()?on the string.note that this is similar to, but not the same as, #8 and #11.
fixes #9